Main Vulnerability Database Vulnerabilities #VU17919

#VU17919 Improper access control in Azure VM Agents

Published: March 7, 2019 / Updated: March 7, 2019

Vulnerability identifier: #VU17919

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Azure VM Agents

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to missing permissions check in a form validation method in Azure VM Agents Plugin. A remote attacker with Overall/Read access to verify a submitted configuration can obtain sensitive information about the Azure account and configuration.

Note, this vulnerability can be exploited via CSRF attack vector.

Remediation

Install update from vendor's website.

External links

https://jenkins.io/security/advisory/2019-03-06/