CVE-2019-1003012Cross-Site Request Forgery in Jenkins Blue Ocean

CWE-352Cross-Site Request Forgery7 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 63.82%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Jenkins Blue OceanJenkins Project Jenkins Blue Ocean PluginsRedhat Openshift Container Platform
Timeline
PublishedFeb 6
Latest updateMay 13

Description

A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to by

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_blue_ocean_plugins1.10.1 and earlier
NVDjenkins/blue_ocean1.10.1

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

3
GHSA
Cross-Site Request Forgery in Jenkins Blue Ocean Plugin2022-05-13
OSV
Cross-Site Request Forgery in Jenkins Blue Ocean Plugin2022-05-13
CVEList
CVE-2019-1003012: A data modification vulnerability exists in Jenkins Blue Ocean Plugins 12019-02-06

📋Vendor Advisories

2
Red Hat
jenkins-plugin-blueocean: Blue Ocean did not require CSRF tokens (SECURITY-1201)2019-01-28
Jenkins
Jenkins Security Advisory 2019-01-282019-01-28

💬Community

1
Bugzilla
CVE-2019-1003012 jenkins-plugin-blueocean: Blue Ocean did not require CSRF tokens (SECURITY-1201)2019-01-29
CVE-2019-1003012 — Cross-Site Request Forgery | cvebase