CVE-2019-1003012
MEDIUM6.5EPSS 0.15%Cross-Site Request Forgery in Jenkins Blue Ocean Plugin
發布日:2022/5/13修改日:2024/2/16
描述
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in: - blueocean-core-js/src/js/bundleStartup.js - blueocean-core-js/src/js/fetch.ts - blueocean-core-js/src/js/i18n/i18n.js - blueocean-core-js/src/js/urlconfig.js - blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java - blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java - blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
受影響套件(1)
- Maven/io.jenkins.blueocean:blueoceanfrom 0, < 1.10.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-1003012
- WEBhttps://access.redhat.com/errata/RHBA-2019:0326
- WEBhttps://access.redhat.com/errata/RHBA-2019:0327
- WEBhttps://github.com/jenkinsci/blueocean-plugin/commit/1a03020b5a50c1e3f47d4b0902ec7fc78d3c86ce
- WEBhttps://jenkins.io/security/advisory/2019-01-28/#SECURITY-1201