CVE-2019-1003012
MEDIUM6.5EPSS 0.15%Cross-Site Request Forgery in Jenkins Blue Ocean Plugin
Published: 5/13/2022Modified: 2/16/2024
Description
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in: - blueocean-core-js/src/js/bundleStartup.js - blueocean-core-js/src/js/fetch.ts - blueocean-core-js/src/js/i18n/i18n.js - blueocean-core-js/src/js/urlconfig.js - blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java - blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java - blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
Affected packages (1)
- Maven/io.jenkins.blueocean:blueoceanfrom 0, < 1.10.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-1003012
- WEBhttps://access.redhat.com/errata/RHBA-2019:0326
- WEBhttps://access.redhat.com/errata/RHBA-2019:0327
- WEBhttps://github.com/jenkinsci/blueocean-plugin/commit/1a03020b5a50c1e3f47d4b0902ec7fc78d3c86ce
- WEBhttps://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201