Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-g4pq-p927-7pgg

GitHub Security Advisory

Jenkins Blue Ocean Plugin cross-site request forgery vulnerability

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Jenkins Blue Ocean Plugin 1.27.5 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

This issue is due to an incomplete fix of SECURITY-2502.

Blue Ocean Plugin 1.27.5.1 uses the configured SCM URL, instead of a user-specified URL provided as a parameter to the HTTP endpoint.

Affected Packages

Maven io.jenkins.blueocean:blueocean
Affected versions: 0 (fixed in 1.27.5.1)

Related CVEs

CVE-2023-40341

Key Information

GHSA ID
GHSA-g4pq-p927-7pgg
Published
August 16, 2023 3:30 PM
Last Modified
August 16, 2023 9:08 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
io.jenkins.blueocean:blueocean
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.