VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 8, 2019· Updated Aug 5, 2024

CVE-2019-1003035

CVE-2019-1003035

Description

An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:azure-vm-agentsMaven
< 0.8.10.8.1

Affected products

1

Patches

1
91bfc7d95ae1

[SECURITY-1330]

https://github.com/jenkinsci/azure-vm-agents-pluginJie ShenMar 4, 2019via ghsa
commit
2 files changed · +6 0
  • src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java+3 0 modified
    @@ -55,6 +55,7 @@
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import javax.xml.bind.DatatypeConverter;
@@ -1234,6 +1235,7 @@ public FormValidation doCheckJvmOptions(@QueryParameter String value) {
             return FormValidation.ok();
         }
 
+        @RequirePOST
         public FormValidation doVerifyConfiguration(
                 @RelativePath("..") @QueryParameter String azureCredentialsId,
                 @RelativePath("..") @QueryParameter String resourceGroupReferenceType,
@@ -1269,6 +1271,7 @@ public FormValidation doVerifyConfiguration(
                 @QueryParameter String nsgName,
                 @QueryParameter String jvmOptions,
                 @QueryParameter String imageReferenceType) {
+            Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 
             /*
             imageReferenceType will not be passed to doVerifyConfiguration
  • src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java+3 0 modified
    @@ -63,6 +63,7 @@
 import org.kohsuke.stapler.AncestorInPath;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.servlet.ServletException;
 import java.io.IOException;
@@ -1073,13 +1074,15 @@ public String getDefaultResourceGroupName() {
             return Constants.DEFAULT_RESOURCE_GROUP_NAME;
         }
 
+        @RequirePOST
         public FormValidation doVerifyConfiguration(
                 @QueryParameter String azureCredentialsId,
                 @QueryParameter String maxVirtualMachinesLimit,
                 @QueryParameter String deploymentTimeout,
                 @QueryParameter String resourceGroupReferenceType,
                 @QueryParameter String newResourceGroupName,
                 @QueryParameter String existingResourceGroupName) {
+            Jenkins.getInstance().checkPermission(Jenkins.ADMINISTER);
 
             String resourceGroupName = getResourceGroupName(
                     resourceGroupReferenceType, newResourceGroupName, existingResourceGroupName);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.