CVE-2023-32990

Name of the Vulnerable Software and Affected Versions Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method. The plugin does not perform permission checks in several HTTP endpoints, which also results in a cross-site request forgery (CSRF) vulnerability due to the lack of requirement for POST requests.

Recommendations For Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier, update to version 853.v4a 1a dd947520 or later, which requires POST requests and the appropriate permissions for the affected HTTP endpoints.