SCA: security update for io.jenkins.blueocean:blueocean (GHSA-qgjq-m78x-4gm8)

high Tenable Self-Hosted Container Security Plugin ID 418124

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Blue Ocean allows the creation of GitHub organization folders that are set up to scan a GitHub
organization for repositories and branches containing a Jenkinsfile, and create corresponding pipelines in
Jenkins. Its SCM content REST API supports the pipeline creation and editing feature in Blue Ocean. The
SCM content REST API did not check the current user's authentication or credentials. If the GitHub
organization folder was created via Blue Ocean, it retained a reference to its creator's GitHub
credentials. This allowed users with read access to the GitHub organization folder to create arbitrary
commits in the repositories inside the GitHub organization corresponding to the GitHub organization folder
with the GitHub credentials of the creator of the organization folder. Additionally, users with read
access to the GitHub organization folder could read arbitrary file contents from the repositories inside
the GitHub organization corresponding to the GitHub organization folder if the branch contained a
Jenkinsfile (which could be created using the other part of this vulnerability), and they could provide
the organization folder name, repository name, branch name, and file name. (CVE-2017-1000106)

See Also

https://github.com/advisories/GHSA-qgjq-m78x-4gm8

Plugin Details

Severity: High

ID: 418124

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.21

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2017-1000106

CVSS v3

Risk Factor: High

Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/13/2022

Vulnerability Publication Date: 10/5/2017

Reference Information

CVE: CVE-2017-1000106

cwe: CWE-287