CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40341 – jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials
https://notcve.org/view.php?id=CVE-2023-40341
16 Aug 2023 — A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. A flaw was found in the blueocean Jenkins plugin. Affected versions of this plugin allow attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. • http://www.openwall.com/lists/oss-security/2023/08/16/3 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30954 – plugin: missing permission checks in Blue Ocean Plugin
https://notcve.org/view.php?id=CVE-2022-30954
17 May 2022 — Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server. El plugin Jenkins Blue Ocean versiones 1.25.3 y anteriores, no lleva a cabo una comprobación de permisos en varios endpoints HTTP, permitiendo a atacantes con permiso Overall/Read conectarse a un servidor HTTP especificado por el atacante Red Hat OpenShift Container Platform is Red Hat's cloud computing Ku... • http://www.openwall.com/lists/oss-security/2022/05/17/8 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30953 – plugin: CSRF vulnerability in Blue Ocean Plugin
https://notcve.org/view.php?id=CVE-2022-30953
17 May 2022 — A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server. Una vulnerabilidad de tipo cross-site request forgery (CSRF) en el plugin Jenkins Blue Ocean versiones 1.25.3 y anteriores, permite a atacantes conectarse a un servidor HTTP especificado por el atacante Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private clo... • http://www.openwall.com/lists/oss-security/2022/05/17/8 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30952 – plugin: User-scoped credentials exposed to other users by Pipeline SCM API for Blue Ocean Plugin
https://notcve.org/view.php?id=CVE-2022-30952
17 May 2022 — Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins. La API SCM de Jenkins Pipeline para el plugin Blue Ocean versiones 1.25.3 y anteriores, permite a atacantes con permiso de Job/Configure acceder a credenciales con IDs especificados por el atacante almacenados en los almacenes privados de credenciales por ... • http://www.openwall.com/lists/oss-security/2022/05/17/8 • CWE-522: Insufficiently Protected Credentials CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2255 – jenkins-2-plugins/blueocean: Blue Ocean Plugin does not perform permission checks in several HTTP endpoints implementing connection tests.
https://notcve.org/view.php?id=CVE-2020-2255
16 Sep 2020 — A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. Una falta de comprobación de permisos en Jenkins Blue Ocean Plugin versiones 1.23.2 y anteriores, permite a atacantes con permiso Overall/Read conectarse a una URL especificada por el atacante The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Containe... • http://www.openwall.com/lists/oss-security/2020/09/16/3 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 0CVE-2020-2254 – jenkins-2-plugins/blueocean: Path traversal vulnerability in Blue Ocean Plugin could allow to read arbitrary files
https://notcve.org/view.php?id=CVE-2020-2254
16 Sep 2020 — Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system. Jenkins Blue Ocean Plugin versiones 1.23.2 y anteriores, proporciona un flag de funcionalidad no documentada que, cuando está habilitado, permite a un atacante con permiso Job/Configure o Job/Create leer archivos arbitrarios en el sistema de archivos del controlador Jenkins The podm... • http://www.openwall.com/lists/oss-security/2020/09/16/3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003012
https://notcve.org/view.php?id=CVE-2019-1003012
06 Feb 2019 — A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cro... • https://access.redhat.com/errata/RHBA-2019:0326 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-1003013
https://notcve.org/view.php?id=CVE-2019-1003013
06 Feb 2019 — An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/... • https://access.redhat.com/errata/RHBA-2019:0326 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0CVE-2017-1000105
https://notcve.org/view.php?id=CVE-2017-1000105
04 Oct 2017 — The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient. El permiso opcional Run/Artifacts se puede habilitar definiendo una propiedad del sistema Java. Blue Ocean no comprueba este permiso antes de dar acceso a los artefactos archivados. El permiso Item/Read es suficiente. • https://jenkins.io/security/advisory/2017-08-07 • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 0CVE-2017-1000106
https://notcve.org/view.php?id=CVE-2017-1000106
04 Oct 2017 — Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials... • https://jenkins.io/security/advisory/2017-08-07 • CWE-287: Improper Authentication •