PT-2023-24123 · Jenkins · Jenkins Azure Vm Agents Plugin+1
Valdes Che Zogou
·
Published
2023-05-16
·
Updated
2023-05-26
·
CVE-2023-32990
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier
Description
A missing permission check in the plugin allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method. The plugin does not perform permission checks in several HTTP endpoints, which also results in a cross-site request forgery (CSRF) vulnerability due to the lack of requirement for POST requests.
Recommendations
For Jenkins Azure VM Agents Plugin versions 852.v8d35f0960a 43 and earlier, update to version 853.v4a 1a dd947520 or later, which requires POST requests and the appropriate permissions for the affected HTTP endpoints.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Azure Vm Agents Plugin