Jenkins Blue Ocean vulnerabilities

CVE-2023-40341 [HIGH] CWE-352 CVE-2023-40341: A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier al A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

CVE-2022-30952 [MEDIUM] CWE-522 CVE-2022-30952: Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configur Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.

CVE-2022-30954 [MEDIUM] CWE-862 CVE-2022-30954: Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP end Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.

CVE-2022-30953 [MEDIUM] CWE-352 CVE-2022-30953: A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier al A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.

CVE-2020-2254 [MEDIUM] CWE-22 CVE-2020-2254: Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enable Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.

CVE-2020-2255 [MEDIUM] CWE-862 CVE-2020-2255: A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Ove A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.

CVE-2019-1003013 [MEDIUM] CWE-79 CVE-2019-1003013: An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blu An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/expor

CVE-2019-1003012 [MEDIUM] CWE-352 CVE-2019-1003012: A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueoce A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/m

CVE-2017-1000106 [HIGH] CWE-287 CVE-2017-1000106: Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organ Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the curr

CVE-2017-1000110 [MEDIUM] CWE-287 CVE-2017-1000110: Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organ Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. Thi

CVE-2017-1000105 [MEDIUM] CWE-862 CVE-2017-1000105: The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean d The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient.