[JENKINS:SECURITY-1332] Unprivileged users with Overall/Read access are able to enumerate credential IDs in Azure VM Agents Plugin
Severity
Medium
Affected Packages
2
Fixed Packages
2
CVEs
1
Azure VM Agents Plugin provides a list of applicable credential IDs to allow administrators configuring the plugin to select the one to use.
This functionality did not check permissions, allowing any user with Overall/Read permission to get a list of valid credentials IDs.
Those could be used as part of an attack to capture the credentials using another vulnerability.
An enumeration of credentials IDs in this plugin now requires Overall/Administer permission.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/azure-vm-agents | <= 0.8.0 |
pkg:github/jenkinsci/azure-vm-agents-plugin | <= 0.8.0 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/azure-vm-agents | = 0.8.1 |
pkg:github/jenkinsci/azure-vm-agents-plugin | = 0.8.1 |
- ID
- JENKINS:SECURITY-1332
- Severity
- medium
- Published
-
2019-03-06T00:00:00
(5 years ago) - Modified
-
2019-03-06T00:00:00
(5 years ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | azure-vm-agents repository | https://github.com/jenkinsci/azure-vm-agents-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/azure-vm-agents | org.jenkins-ci.plugins | azure-vm-agents | <= 0.8.0 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/azure-vm-agents | org.jenkins-ci.plugins | azure-vm-agents | = 0.8.1 | |||
Affected | pkg:github/jenkinsci/azure-vm-agents-plugin | jenkinsci | azure-vm-agents-plugin | <= 0.8.0 | |||
Fixed | pkg:github/jenkinsci/azure-vm-agents-plugin | jenkinsci | azure-vm-agents-plugin | = 0.8.1 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |