CVE-2023-35141: Jenkins CSRF Protection Bypass Vulnerability
Jenkins, often hailed as the engine of DevOps, offers a plethora of features to manage and control software delivery processes throughout the entire lifecycle. Among these features, Jenkins provides context menus for various user interface (UI) elements such as links to jobs, builds, or breadcrumbs. These features offer efficiency and speed, but unfortunately, they can also offer a foothold to attackers if left unprotected. This is precisely where the CVE-2023-35141 vulnerability comes in.
CVE-2023-35141, which has been assigned a high-risk Common Vulnerability Scoring System (CVSS) score of 8.0, has surfaced from the abyss due to a CSRF (Cross-Site Request Forgery) protection bypass vulnerability. In Jenkins versions 2.399 and earlier, as well as LTS 2.387.3 and earlier, POST requests are used to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, an unwary victim may be tricked into sending a POST request to an unintended endpoint, such as the Script Console, simply by opening a context menu.
As of the time of this advisory’s publication, Jenkins developers are fully aware of insufficiently escaped context menu URLs for label expressions. It is a chilling reality that attackers with Item/Configure permissions can exploit this vulnerability, posing a considerable risk to the application’s security.
Jenkins’s development team has been working hard to tame this vulnerability. With the release of Jenkins 2.400 and LTS 2.401.1, the bug is fixed. These versions now send GET requests to load the list of context actions, effectively mitigating the risks posed by the CSRF protection bypass vulnerability.
In addition to the rectification of this vulnerability, the new versions of Jenkins also offer a solution to six other security vulnerabilities lurking within its plugins. This not only demonstrates the developers’ vigilance but also their commitment to ensuring the product’s security.
For Jenkins users, the best course of action is to update your Jenkins software to version 2.400 or LTS 2.401.1. Doing so will secure your ship against the treacherous wave of CVE-2023-35141, along with six other potential hazards.
