A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API. The vulnerability is found in:

- blueocean-core-js/src/js/bundleStartup.js
- blueocean-core-js/src/js/fetch.ts
- blueocean-core-js/src/js/i18n/i18n.js
- blueocean-core-js/src/js/urlconfig.js
- blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java
- blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java
- blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly

Affected Packages

Maven io.jenkins.blueocean:blueocean

Affected versions: 0 (fixed in 1.10.2)

Related CVEs

CVE-2019-1003012

Key Information

GHSA ID

GHSA-qxh5-5r5p-5gvf

Published

May 13, 2022 1:31 AM

Last Modified

November 1, 2022 10:46 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins.blueocean:blueocean

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.