GHSA-26j3-4m55-j6r7

Опубликовано: 16 мая 2023

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Jenkins Azure VM Agents Plugin Cross-site Request Forgery vulnerability

Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier does not perform permission checks in several HTTP endpoints.

This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:azure-vm-agents

maven

Затронутые версииВерсия исправления

< 853.v4a

853.v4a

EPSS

Процентиль: 44%

0.00215

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-32989

Дефекты

CWE-352

Связанные уязвимости

CVE-2023-32989

CVSS3: 8.8

nvd

больше 2 лет назад

A cross-site request forgery (CSRF) vulnerability in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

EPSS

Процентиль: 44%

0.00215

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2023-32989

Дефекты

CWE-352