CVE-2019-1003012

Description

A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in: - blueocean-core-js/src/js/bundleStartup.js - blueocean-core-js/src/js/fetch.ts - blueocean-core-js/src/js/i18n/i18n.js - blueocean-core-js/src/js/urlconfig.js - blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java - blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java - blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly

How to fix CVE-2019-1003012

To remediate CVE-2019-1003012, upgrade the affected package to a fixed version below.

• —upgrade to 1.10.2 or later

Is CVE-2019-1003012 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.10.2

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-1003012
• WEBaccess.redhat.com/errata/RHBA-2019:0326
• WEBaccess.redhat.com/errata/RHBA-2019:0327
• WEBgithub.com/jenkinsci/blueocean-plugin/commit/1a03020b5a50c1e3f47d4b0902ec7fc78d3c86ce