4.3

CVSS Score

Basic Information

CVE ID

CVE-2017-1000110

GHSA ID

GHSA-rm5m-9mx4-g5r7

EPSS Score

CWE

CWE-287

Published

5/13/2022

Updated

1/30/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000110

CVE-2017-1000110:
Improper Authentication in Jenkins Blue Ocean Plugin

Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in Jenkins. It did not properly check the current user's authentication and authorization when configuring existing GitHub organization folders. This allowed users with read access to the GitHub organization folder to reconfigure it, including changing the GitHub API endpoint for the organization folder to an attacker-controlled server to obtain the GitHub access token, if the organization folder was initially created using Blue Ocean.

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2017-1000110

GHSA ID

GHSA-rm5m-9mx4-g5r7

EPSS Score

CWE

CWE-287

Published

5/13/2022

Updated

1/30/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.blueocean:blueocean	maven	< 1.2.0	1.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authentication checks during GitHub organization folder reconfiguration. The advisory explicitly mentions the fix involved adding Item/CREATE permission verification. In Jenkins plugin architecture, REST resource classes like OrganizationFolderResource typically handle configuration updates. The 'update' method (or similarly named) would be responsible for processing these changes. Prior to the patch, this method lacked the necessary permission check, making it the vulnerable entry point. The high confidence comes from the direct correlation between the advisory's described fix and standard Jenkins permission enforcement patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*lu* O***n *llows t** *r**tion o* *it*u* or**niz*tion *ol**rs t**t *r* s*t up to s**n * *it*u* or**niz*tion *or r*positori*s *n* *r*n***s *ont*inin* * J*nkins*il*, *n* *r**t* *orr*spon*in* pip*lin*s in J*nkins. It *i* not prop*rly ****k t** *urr*nt u

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut**nti**tion ****ks *urin* *it*u* or**niz*tion *ol**r r**on*i*ur*tion. T** **visory *xpli*itly m*ntions t** *ix involv** ***in* It*m/*R**T* p*rmission v*ri*i**tion. In J*nkins plu*in *r**it**tur*, R*ST r*sour**

4.3

Basic Information

Concerned about an active attack path?

CVE-2017-1000110: Improper Authentication in Jenkins Blue Ocean Plugin

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-1000110:
Improper Authentication in Jenkins Blue Ocean Plugin

Vulnerability Intelligence
Miggo AI