Skip to main content

Blue Ocean CVE-2023-40341

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2023-08-16 jenkinsci-cert@googlegroups.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 16, 2023 - 15:15 nvd
HIGH 8.8

DescriptionNVD

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.

AnalysisAI

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. Affected products include: Jenkins Blue Ocean.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.

CVE-2017-1000106 HIGH
8.5 Oct 05

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for reposito

CVE-2022-30954 MEDIUM
6.5 May 17

Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing att

CVE-2022-30953 MEDIUM
6.5 May 17

A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to co

CVE-2022-30952 MEDIUM
6.5 May 17

Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to acce

CVE-2020-2254 MEDIUM
6.5 Sep 16

Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacke

CVE-2019-1003012 MEDIUM
6.5 Feb 06

A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bu

CVE-2019-1003013 MEDIUM
5.4 Feb 06

An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/m

CVE-2017-1000105 MEDIUM
5.3 Oct 05

The optional Run/Artifacts permission can be enabled by setting a Java system property. Rated medium severity (CVSS 5.3)

CVE-2017-1000110 MEDIUM
4.3 Oct 05

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for reposito

CVE-2020-2255 MEDIUM
4.3 Sep 16

A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission

Share

CVE-2023-40341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy