This allows attackers with Overall/Read permission to connect to an attacker-specified Azure Cloud server using attacker-specified credentials IDs obtained through another method.

Additionally, these HTTP endpoints do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

Azure VM Agents Plugin 853.v4a_1a_dd947520 requires POST requests and the appropriate permissions for the affected HTTP endpoints.

Affected Packages

Maven org.jenkins-ci.plugins:azure-vm-agents

Affected versions: 0 (fixed in 853.v4a)

Related CVEs

CVE-2023-32989

Key Information

GHSA ID

GHSA-26j3-4m55-j6r7

Published

May 16, 2023 6:30 PM

Last Modified

May 17, 2023 3:24 AM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:azure-vm-agents

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 3, 2025 6:18 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.