CVE-2023-32988

CWE-522 — Insufficiently Protected Credentials5 documents5 sources

Severity

4.3MEDIUM

EPSS

0.4%

top 37.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Azure VM Agents Plugin Jenkins Azure VM Agents

Timeline

PublishedMay 16

Description

A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:azure-vm-agents< 853.v4a

▶CVEListV5jenkins_project/jenkins_azure_vm_agents_plugin852.v8d35f0960a_43

▶NVDjenkins/azure_vm_agents852.v8d35f0960a_43

🔴Vulnerability Details

GHSA

Jenkins Azure VM Agents Plugin missing permission checks↗2023-05-16

▶

CVEList

CVE-2023-32988: A missing permission check in Jenkins Azure VM Agents Plugin 852↗2023-05-16

▶

OSV

Jenkins Azure VM Agents Plugin missing permission checks↗2023-05-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-05-16↗2023-05-16

▶