-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from endpoints accepting GET requests without CSRF protections or proper permissions. The commit diff shows critical additions: 1) HTTP method checks requiring POST, 2) checkPermission() calls, and 3) @POST annotations replacing @PUT. Functions handling SCM operations (getState, getOrganizations, validateAndCreate) in Bitbucket/GitHub/Git implementations lacked these protections pre-patch, allowing CSRF-driven connections to attacker-controlled servers. The JavaScript client changes to use POST align with server-side enforcement.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.jenkins.blueocean:blueocean-parent | maven | < 1.25.4 | 1.25.4 |