Moderate severityNVD Advisory· Published Mar 8, 2019· Updated Aug 5, 2024

CVE-2019-1003036

Description

A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:azure-vm-agentsMaven	< 0.8.1	0.8.1

Affected products

Jenkins Project/Jenkins Azure Vm Agents Pluginv5
Range: 0.8.0 and earlier

Patches

6cf1e1177899

[SECURITY-1331]

https://github.com/jenkinsci/azure-vm-agents-pluginJie ShenMar 4, 2019via ghsa

commit

1 file changed · +4 −0

src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java+4 −0 modified

@@ -21,6 +21,7 @@
 import com.microsoft.azure.vmagent.util.CleanUpAction;
 import com.microsoft.azure.vmagent.util.Constants;
 import hudson.Extension;
+import hudson.model.Computer;
 import hudson.model.Descriptor.FormException;
 import hudson.model.TaskListener;
 import hudson.slaves.AbstractCloudComputer;
@@ -39,6 +40,7 @@
 import org.jvnet.localizer.Localizable;
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.QueryParameter;
+import org.kohsuke.stapler.interceptor.RequirePOST;
 
 import javax.annotation.CheckForNull;
 import javax.annotation.Nullable;
@@ -594,7 +596,9 @@ public boolean isInstantiable() {
         }
 
         //abusing a bit of f:validateButton because it has nice progress
+        @RequirePOST
         public FormValidation doAttachPublicIP(@QueryParameter String vmAgentName) {
+            Jenkins.getInstance().checkPermission(Computer.CONFIGURE);
             AzureVMAgent vmAgent = (AzureVMAgent) Jenkins.getInstance().getNode(vmAgentName);
             String publicIP = "";
             if (vmAgent != null) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m33c-cjjj-2mg4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003036ghsaADVISORY
www.securityfocus.com/bid/107476ghsavdb-entryx_refsource_BIDWEB
github.com/jenkinsci/azure-vm-agents-plugin/commit/6cf1e11778993988ded08eb15ea051541341ec12ghsaWEB
jenkins.io/security/advisory/2019-03-06/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000