Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1xeGg1LTVyNXAtNWd2Zs4AAQ7r
Cross-Site Request Forgery in Jenkins Blue Ocean Plugin
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in:
- blueocean-core-js/src/js/bundleStartup.js
- blueocean-core-js/src/js/fetch.ts
- blueocean-core-js/src/js/i18n/i18n.js
- blueocean-core-js/src/js/urlconfig.js
- blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java
- blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java
- blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xeGg1LTVyNXAtNWd2Zs4AAQ7r
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 11 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-qxh5-5r5p-5gvf, CVE-2019-1003012
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003012
- https://access.redhat.com/errata/RHBA-2019:0326
- https://access.redhat.com/errata/RHBA-2019:0327
- https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201
- https://github.com/jenkinsci/blueocean-plugin/commit/1a03020b5a50c1e3f47d4b0902ec7fc78d3c86ce
- https://github.com/advisories/GHSA-qxh5-5r5p-5gvf
Blast Radius: 1.0
Affected Packages
maven:io.jenkins.blueocean:blueocean
Affected Version Ranges: < 1.10.2Fixed in: 1.10.2