CVE-2019-1003012

A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in: - blueocean-core-js/src/js/bundleStartup.js - blueocean-core-js/src/js/fetch.ts - blueocean-core-js/src/js/i18n/i18n.js - blueocean-core-js/src/js/urlconfig.js - blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java - blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java - blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly