cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2023-40341,https://securityvulnerability.io/vulnerability/CVE-2023-40341,Cross-Site Request Forgery Vulnerability in Jenkins Blue Ocean Plugin by Jenkins,"A cross-site request forgery (CSRF) issue in the Jenkins Blue Ocean Plugin versions up to 1.27.5 enables attackers to exploit the plugin's functionality. By tricking users into making a request to an attacker-specified URL, this vulnerability can lead to unauthorized access to sensitive GitHub credentials associated with specific jobs in Jenkins. This poses significant risks for users who may inadvertently expose their credentials, allowing for potential misuse of access to repositories.",Jenkins,Jenkins Blue Ocean Plugin,8.8,HIGH,0.0008800000068731606,false,,false,false,false,,,false,false,,2023-08-16T15:15:00.000Z,0
CVE-2022-30954,https://securityvulnerability.io/vulnerability/CVE-2022-30954,Insufficient Permission Checks in Jenkins Blue Ocean Plugin,"The Jenkins Blue Ocean Plugin fails to perform necessary permission checks in several HTTP endpoints. This flaw enables attackers who possess Overall/Read permissions to connect to an HTTP server of their choosing, potentially exposing sensitive data and resources. Users of affected versions should update to secure endpoints against unauthorized access.",Jenkins,Jenkins Blue Ocean Plugin,6.5,MEDIUM,0.0005000000237487257,false,,false,false,false,,,false,false,,2022-05-17T14:06:21.000Z,0
CVE-2022-30953,https://securityvulnerability.io/vulnerability/CVE-2022-30953,Cross-Site Request Forgery in Jenkins Blue Ocean Plugin by Jenkins,"A cross-site request forgery (CSRF) vulnerability exists in Jenkins Blue Ocean Plugin version 1.25.3 and earlier. This flaw could allow attackers to make unauthorized requests, potentially leading to interaction with an attacker-specified HTTP server. Effective mitigation is essential to safeguard systems from such exploits, which can compromise user data and system integrity.",Jenkins,Jenkins Blue Ocean Plugin,6.5,MEDIUM,0.0006000000284984708,false,,false,false,false,,,false,false,,2022-05-17T14:06:18.000Z,0
CVE-2022-30952,https://securityvulnerability.io/vulnerability/CVE-2022-30952,Pipeline SCM API Vulnerability in Jenkins Blue Ocean Plugin,"The Jenkins Blue Ocean Plugin, specifically the Pipeline SCM API, allows unauthorized access to sensitive credentials stored in per-user credential stores. Attackers with Job/Configure permissions can exploit this vulnerability to retrieve credentials belonging to any user by specifying arbitrary credential IDs. This poses significant risks to the security of the Jenkins environment, potentially leading to further attacks or data breaches.",Jenkins,Jenkins Pipeline Scm Api For Blue Ocean Plugin,6.5,MEDIUM,0.0006300000241026282,false,,false,false,false,,,false,false,,2022-05-17T00:00:00.000Z,0
CVE-2020-2255,https://securityvulnerability.io/vulnerability/CVE-2020-2255,,A missing permission check in Jenkins Blue Ocean Plugin 1.23.2 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL.,Jenkins,Jenkins Blue Ocean Plugin,4.3,MEDIUM,0.0005000000237487257,false,,false,false,false,,,false,false,,2020-09-16T13:20:40.000Z,0
CVE-2020-2254,https://securityvulnerability.io/vulnerability/CVE-2020-2254,,"Jenkins Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag that, when enabled, allows an attacker with Job/Configure or Job/Create permission to read arbitrary files on the Jenkins controller file system.",Jenkins,Jenkins Blue Ocean Plugin,6.5,MEDIUM,0.0010100000072270632,false,,false,false,false,,,false,false,,2020-09-16T13:20:39.000Z,0
CVE-2019-1003012,https://securityvulnerability.io/vulnerability/CVE-2019-1003012,,"A data modification vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-core-js/src/js/bundleStartup.js, blueocean-core-js/src/js/fetch.ts, blueocean-core-js/src/js/i18n/i18n.js, blueocean-core-js/src/js/urlconfig.js, blueocean-rest/src/main/java/io/jenkins/blueocean/rest/APICrumbExclusion.java, blueocean-web/src/main/java/io/jenkins/blueocean/BlueOceanUI.java, blueocean-web/src/main/resources/io/jenkins/blueocean/BlueOceanUI/index.jelly that allows attackers to bypass all cross-site request forgery protection in Blue Ocean API.",Jenkins,Jenkins Blue Ocean Plugins,6.5,MEDIUM,0.001180000021122396,false,,false,false,false,,,false,false,,2019-02-06T16:00:00.000Z,0
CVE-2019-1003013,https://securityvulnerability.io/vulnerability/CVE-2019-1003013,,"An cross-site scripting vulnerability exists in Jenkins Blue Ocean Plugins 1.10.1 and earlier in blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/Export.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/ExportConfig.java, blueocean-commons/src/main/java/io/jenkins/blueocean/commons/stapler/export/JSONDataWriter.java, blueocean-rest-impl/src/main/java/io/jenkins/blueocean/service/embedded/UserStatePreloader.java, blueocean-web/src/main/resources/io/jenkins/blueocean/PageStatePreloadDecorator/header.jelly that allows attackers with permission to edit a user's description in Jenkins to have Blue Ocean render arbitrary HTML when using it as that user.",Jenkins,Jenkins Blue Ocean Plugins,5.4,MEDIUM,0.0006000000284984708,false,,false,false,false,,,false,false,,2019-02-06T16:00:00.000Z,0
CVE-2017-1000106,https://securityvulnerability.io/vulnerability/CVE-2017-1000106,,"Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The SCM content REST API did not check the current user's authentication or credentials. If the GitHub organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub credentials. This allowed users with read access to the GitHub organization folder to create arbitrary commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder with the GitHub credentials of the creator of the organization folder. Additionally, users with read access to the GitHub organization folder could read arbitrary file contents from the repositories inside the GitHub organization corresponding to the GitHub organization folder if the branch contained a Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide the organization folder name, repository name, branch name, and file name.",Jenkins,Blue Ocean,8.5,HIGH,0.000539999979082495,false,,false,false,false,,,false,false,,2017-10-05T01:29:00.000Z,0
CVE-2017-1000105,https://securityvulnerability.io/vulnerability/CVE-2017-1000105,,"The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was sufficient.",Jenkins,Blue Ocean,5.3,MEDIUM,0.0007999999797903001,false,,false,false,false,,,false,false,,2017-10-05T01:29:00.000Z,0
CVE-2017-1000110,https://securityvulnerability.io/vulnerability/CVE-2017-1000110,,"Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean.",Jenkins,Blue Ocean,4.3,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2017-10-05T01:29:00.000Z,0