Missing permission check in Azure VM Agents Plugin allowed modifying VM configuration

2022-05-1301:15:08

Google

osv.dev

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

21.8%

JSON

A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.

CPENameOperatorVersion
org.jenkins-ci.plugins:azure-vm-agentseq0.7.1
org.jenkins-ci.plugins:azure-vm-agentseq0.4.0
org.jenkins-ci.plugins:azure-vm-agentseq0.7.3
org.jenkins-ci.plugins:azure-vm-agentseq0.4.7
org.jenkins-ci.plugins:azure-vm-agentseq0.5.0
org.jenkins-ci.plugins:azure-vm-agentseq0.6.0
org.jenkins-ci.plugins:azure-vm-agentseq0.4.6
org.jenkins-ci.plugins:azure-vm-agentseq0.4.2
org.jenkins-ci.plugins:azure-vm-agentseq0.6.1
org.jenkins-ci.plugins:azure-vm-agentseq0.4.7.1

Name	Operator	Version
org.jenkins-ci.plugins:azure-vm-agents	eq	0.7.1
org.jenkins-ci.plugins:azure-vm-agents	eq	0.4.0
org.jenkins-ci.plugins:azure-vm-agents	eq	0.7.3
org.jenkins-ci.plugins:azure-vm-agents	eq	0.4.7
org.jenkins-ci.plugins:azure-vm-agents	eq	0.5.0
org.jenkins-ci.plugins:azure-vm-agents	eq	0.6.0
org.jenkins-ci.plugins:azure-vm-agents	eq	0.4.6
org.jenkins-ci.plugins:azure-vm-agents	eq	0.4.2
org.jenkins-ci.plugins:azure-vm-agents	eq	0.6.1
org.jenkins-ci.plugins:azure-vm-agents	eq	0.4.7.1