Описание
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.4 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.5 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.6 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.7 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | jenkins-plugin-blueocean | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-enterprise-service-catalog | Fixed | RHBA-2019:0326 | 20.02.2019 |
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHBA-2019:0326 | 20.02.2019 |
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-cluster-autoscaler | Fixed | RHBA-2019:0326 | 20.02.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.
Cross-Site Request Forgery in Jenkins Blue Ocean Plugin
EPSS
7.3 High
CVSS3