CVE-2019-1003012

Name of the Vulnerable Software and Affected Versions: Jenkins Blue Ocean Plugins versions 1.10.1 and earlier

Description: A data modification issue exists that allows attackers to bypass all cross-site request forgery protection in the Blue Ocean API. The vulnerability is found in several files, including blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, and blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly.

Recommendations: As a temporary workaround, consider disabling the affected API endpoints until a patch is available. Restrict access to the vulnerable files to minimize the risk of exploitation. Avoid using the vulnerable functions in the affected files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.