Data Modification Vulnerability in Jenkins Blue Ocean Plugins by CloudBees
CVE-2019-1003012

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Blue Ocean Plugins
Vendor
CVE Published:
6 February 2019

Summary

A data modification flaw in Jenkins Blue Ocean Plugins makes it possible for unauthorized attackers to circumvent cross-site request forgery (CSRF) protections. This vulnerability affects multiple components within the Blue Ocean API, specifically in files such as bundleStartup.js and fetch.ts. As a result, attackers can exploit this vulnerability to manipulate data and execute unauthorized actions, potentially compromising the integrity of Jenkins instances that utilize these plugins. Users are advised to update to the latest versions to mitigate this risk.

Affected Version(s)

Jenkins Blue Ocean Plugins 1.10.1 and earlier

References

https://jenkins.io/security/advisory/2019-01-28/#SECURITY...
x_refsource_CONFIRM
https://access.redhat.com/errata/RHBA-2019:0326
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2019:0327
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.