Moderate severityNVD Advisory· Published Mar 8, 2019· Updated Aug 5, 2024

CVE-2019-1003037

Description

An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:azure-vm-agentsMaven	< 0.8.1	0.8.1

Affected products

Jenkins Project/Jenkins Azure Vm Agents Pluginv5
Range: 0.8.0 and earlier

Patches

e36c8a9b0a43

[SECURITY-1332]

https://github.com/jenkinsci/azure-vm-agents-pluginJie ShenMar 4, 2019via ghsa

commit

2 files changed · +14 −10

pom.xml+1 −1 modified

@@ -164,7 +164,7 @@
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>
             <artifactId>credentials</artifactId>
-            <version>2.1.5</version>
+            <version>2.1.16</version>
         </dependency>
         <dependency>
             <groupId>org.jenkins-ci.plugins</groupId>

src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java+13 −9 modified

@@ -17,7 +17,6 @@
 
 import com.cloudbees.plugins.credentials.CredentialsProvider;
 import com.cloudbees.plugins.credentials.common.StandardListBoxModel;
-import com.cloudbees.plugins.credentials.domains.DomainRequirement;
 import com.google.common.base.Supplier;
 import com.google.common.base.Suppliers;
 import com.microsoft.azure.PagedList;
@@ -1099,16 +1098,21 @@ public FormValidation doVerifyConfiguration(
         }
 
         public ListBoxModel doFillAzureCredentialsIdItems(@AncestorInPath Item owner) {
+            StandardListBoxModel result = new StandardListBoxModel();
+            if (owner == null) {
+                if (!Jenkins.getInstance().hasPermission(Jenkins.ADMINISTER)) {
+                    return result;
+                }
+            } else {
+                if (!owner.hasPermission(owner.EXTENDED_READ)
+                        && !owner.hasPermission(CredentialsProvider.USE_ITEM)) {
+                    return result;
+                }
+            }
             return new StandardListBoxModel()
                     .includeEmptyValue()
-                    .withAll(CredentialsProvider.lookupCredentials(AzureCredentials.class,
-                            owner,
-                            ACL.SYSTEM,
-                            Collections.<DomainRequirement>emptyList()))
-                    .withAll(CredentialsProvider.lookupCredentials(AzureMsiCredentials.class,
-                            owner,
-                            ACL.SYSTEM,
-                            Collections.<DomainRequirement>emptyList()));
+                    .includeAs(ACL.SYSTEM, owner, AzureCredentials.class)
+                    .includeAs(ACL.SYSTEM, owner, AzureMsiCredentials.class);
         }
 
         public ListBoxModel doFillExistingResourceGroupNameItems(@QueryParameter String azureCredentialsId)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-r2vw-x3hr-969vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003037ghsaADVISORY
www.securityfocus.com/bid/107476ghsavdb-entryx_refsource_BIDWEB
github.com/jenkinsci/azure-vm-agents-plugin/commit/e36c8a9b0a436d3b79dc14b5cb4f7f6032fedd3fghsaWEB
jenkins.io/security/advisory/2019-03-06/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000