ASA-2019-00095 – Jenkins: Blue Ocean Plugin did not require Cross-Site Request Forgery (CSRF) tokens

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00095

Identifier(s)

ASA-2019-00095, SECURITY-1201, CVE-2019-1003012

Title

Blue Ocean Plugin did not require Cross-Site Request Forgery (CSRF) tokens

Vendor(s)

CloudBees, Inc

Product(s)

Jenkins

Affected version(s)

Blue Ocean Plugin up to and including 1.10.1

Fixed version(s)

Blue Ocean Plugin version 1.10.2

Proof of concept

Unknown

Description

Blue Ocean did not require Cross-Site Request Forgery (CSRF) tokens (“crumbs”) for POST requests with the Content-Type: application/json.

Blue Ocean now requires that valid Cross-Site Request Forgery (CSRF) tokens are present in POST requests.

Technical details

Unknown

Credits

Wadeck Follonier (CloudBees, Inc)

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28

Jenkins Plugins
https://plugins.jenkins.io/blueocean

CVE-2019-1003012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003012

CVE-2019-1003012
https://nvd.nist.gov/vuln/detail/CVE-2019-1003012

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.