[JENKINS:SECURITY-1332] Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.

This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs.
Those could be used as part of an attack to capture the credentials using another vulnerability.

An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/azure-vm-agents	<= 0.8.0
pkg:github/jenkinsci/azure-vm-agents-plugin	<= 0.8.0

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/azure-vm-agents	= 0.8.1
pkg:github/jenkinsci/azure-vm-agents-plugin	= 0.8.1

ID

JENKINS:SECURITY-1332

Severity

medium

Published

2019-03-06T00:00:00
(5 years ago)

Modified

2019-03-06T00:00:00
(5 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-R2VW-X3HR-969V

Source	# ID	Name	URL
Plugin repository		azure-vm-agents repository	https://github.com/jenkinsci/azure-vm-agents-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/azure-vm-agents	org.jenkins-ci.plugins	azure-vm-agents	<= 0.8.0
Fixed	pkg:maven/org.jenkins-ci.plugins/azure-vm-agents	org.jenkins-ci.plugins	azure-vm-agents	= 0.8.1
Affected	pkg:github/jenkinsci/azure-vm-agents-plugin	jenkinsci	azure-vm-agents-plugin	<= 0.8.0
Fixed	pkg:github/jenkinsci/azure-vm-agents-plugin	jenkinsci	azure-vm-agents-plugin	= 0.8.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date