Miggo Logo
Miggo Vulnerability Database
CVE-2023-25768

CVE-2023-25768: Missing Authorization in Jenkins Azure Credentials Plugin

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-25768
GHSA ID
GHSA-px2r-cmr2-phw7
EPSS Score
0.15317%
CWE
CWE-862
Published
2/15/2023
Updated
1/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:azure-credentialsmaven<= 253.v887e0f9e898b254.v64da_8176c83a

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from form validation endpoints that lacked both authorization checks (CWE-862) and CSRF protection. The commit diff shows these methods were modified to: 1) Add @POST annotations to prevent CSRF, 2) Implement permission checks (ADMINISTER or CONFIGURE), and 3) Include ancestor path validation. The affected doVerifyConfiguration methods in multiple credential classes allowed attackers with just Read permissions to interact with external systems, which was corrected by the authorization checks added in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* missin* p*rmission ****k in J*nkins *zur* *r***nti*ls Plu*in ***.v************ *n* **rli*r *llows *tt**k*rs wit* Ov*r*ll/R*** p*rmission to *onn**t to *n *tt**k*r-sp**i*i** w** s*rv*r.

Reasoning

T** vuln*r**ility st*mm** *rom *orm v*li**tion *n*points t**t l**k** *ot* *ut*oriz*tion ****ks (*W*-***) *n* *SR* prot**tion. T** *ommit *i** s*ows t**s* m*t*o*s w*r* mo*i*i** to: *) *** @POST *nnot*tions to pr*v*nt *SR*, *) Impl*m*nt p*rmission ****