Lucene search

GitHub Advisory DatabaseGHSA-Q77X-CXRQ-988J

HistoryMay 16, 2023 - 6:30 p.m.

Jenkins Azure VM Agents Plugin missing permission checks

2023-05-1618:30:16

GitHub Advisory Database

github.com

jenkins

azure

permission checks

http endpoints

csrf

vulnerability

azure cloud server

credentials

post requests

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.3%

JSON

Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Affected configurations

Vulners

Node

org.jenkins-ci.pluginsazure-vm-agentsRange<853.v4a

VendorProductVersionCPE
org.jenkins-ci.pluginsazure-vm-agents*cpe:2.3:a:org.jenkins-ci.plugins:azure-vm-agents:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.jenkins-ci.plugins	azure-vm-agents	*	cpe:2.3:a:org.jenkins-ci.plugins:azure-vm-agents::::::::

References

github.com/advisories/GHSA-q77x-cxrq-988j

nvd.nist.gov/vuln/detail/CVE-2023-32988

www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2855%20(1)

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

17.3%

JSON

Related for GHSA-Q77X-CXRQ-988J