Allele Security Alert
ASA-2019-00095
Identifier(s)
ASA-2019-00095, SECURITY-1201, CVE-2019-1003012
Title
Blue Ocean Plugin did not require Cross-Site Request Forgery (CSRF) tokens
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Blue Ocean Plugin up to and including 1.10.1
Fixed version(s)
Blue Ocean Plugin version 1.10.2
Proof of concept
Unknown
Description
Blue Ocean did not require Cross-Site Request Forgery (CSRF) tokens (“crumbs”) for POST requests with the Content-Type: application/json.
Blue Ocean now requires that valid Cross-Site Request Forgery (CSRF) tokens are present in POST requests.
Technical details
Unknown
Credits
Wadeck Follonier (CloudBees, Inc)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
Jenkins Plugins
https://plugins.jenkins.io/blueocean
CVE-2019-1003012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003012
CVE-2019-1003012
https://nvd.nist.gov/vuln/detail/CVE-2019-1003012
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019