Jenkins: >> Blue Ocean >> 1.14.0 Security Vulnerabilities
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.27.5 and earlier allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job.
CVSS Score
8.8
EPSS Score
0.004
Published
2023-08-16
Jenkins Pipeline SCM API for Blue Ocean Plugin 1.25.3 and earlier allows attackers with Job/Configure permission to access credentials with attacker-specified IDs stored in the private per-user credentials stores of any attacker-specified user in Jenkins.
CVSS Score
6.5
EPSS Score
0.004
Published
2022-05-17
A cross-site request forgery (CSRF) vulnerability in Jenkins Blue Ocean Plugin 1.25.3 and earlier allows attackers to connect to an attacker-specified HTTP server.
CVSS Score
6.5
EPSS Score
0.0
Published
2022-05-17
Jenkins Blue Ocean Plugin 1.25.3 and earlier does not perform a permission check in several HTTP endpoints, allowing attackers with Overall/Read permission to connect to an attacker-specified HTTP server.
CVSS Score
6.5
EPSS Score
0.003
Published
2022-05-17
Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.
CVSS Score
6.5
EPSS Score
0.024
Published
2020-09-16
A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.
CVSS Score
4.3
EPSS Score
0.001
Published
2020-09-16