Описание
Cross-Site Request Forgery in Jenkins Blue Ocean Plugin
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in:
- blueocean-core-js/src/js/bundleStartup.js
- blueocean-core-js/src/js/fetch.ts
- blueocean-core-js/src/js/i18n/i18n.js
- blueocean-core-js/src/js/urlconfig.js
- blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java
- blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java
- blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly
Ссылки
Пакеты
io.jenkins.blueocean:blueocean
< 1.10.2
1.10.2
Связанные уязвимости
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.