Cliff Meyers

**Name of the Vulnerable Software and Affected Versions** Blue Ocean (affected versions not specified) **Description** The issue concerns the SCM content REST API in Blue Ocean, which does not properly check user authentication or credentials. This allows users with read access to a GitHub organization folder to create arbitrary commits in the corresponding repositories using the creator's GitHub credentials. Additionally, these users can read arbitrary file contents from the repositories if a branch contains a Jenkinsfile, by providing the organization folder name, repository name, branch name, and file name. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Blue Ocean (affected versions not specified) **Description** The issue concerns the improper checking of user authentication and authorization in Blue Ocean when configuring existing GitHub organization folders. This allows users with read access to reconfigure the folder, potentially changing the GitHub API endpoint to an attacker-controlled server. This could result in the exposure of the GitHub access token if the organization folder was initially created using Blue Ocean. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.