Improper Permission Check in Jenkins Azure VM Agents Plugin by Jenkins
CVE-2023-32990

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Azure Vm Agents Plugin
Vendor: CVE Published:; 16 May 2023

Summary

A vulnerability exists in the Jenkins Azure VM Agents Plugin that permits authenticated attackers with Overall/Read permission to connect to arbitrary Azure Cloud servers. This is achieved by exploiting a missing permission check that allows the use of attacker-specified credential IDs. This flaw can lead to unauthorized access to sensitive cloud resources, potentially compromising the security of the deployed environment. Organizations using this plugin should assess their configurations and apply any necessary patches as soon as possible to mitigate this risk.

Affected Version(s)

Jenkins Azure VM Agents Plugin 0 <= 852.v8d35f0960a_43

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECU...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2023
Vulnerability Reserved
May 16, 2023