Blue Ocean did not require CSRF tokens ("crumbs") for POST requests with the Content-Type: application/json. Blue Ocean now requires that valid CSRF tokens are present in POST requests.
Tag: CSRF
ASA-2019-00093 – Jenkins: Cross-Site Request Forgery (CSRF) vulnerability in Git Plugin
Git Plugin allows the creation of a tag in a job workspace’s Git repository with accompanying metadata attached to a build record. The HTTP endpoint to create the tag did not require POST requests, resulting in a CSRF vulnerability. The HTTP endpoint to create the tag now requires that requests are sent via POST.
ASA-2019-00090 – Jenkins: Sandbox bypass via Cross-Site Request Forgery (CSRF) in Warnings Plugin
Warnings Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.
ASA-2018-00072 – phpMyAdmin: XSRF/CSRF vulnerability due to application receiving parameters via GET
By deceiving a user to click on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.