Bug 2215074 (CVE-2023-35141)

Summary: CVE-2023-35141 jenkins: CSRF protection bypass vulnerability
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abenaiss, chazlett, dfreiber, eaguilar, ebaron, ellin, jburrell, jkang, jpallich, pjindal, rogbas, scorneli, sfroberg, shbose, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins and Jenkins Long-Term Support (LTS), where it could allow a remote, authenticated attacker to bypass security restrictions caused by the inclusion of insufficiently escaped user-provided values in part of the URL. An attacker can send a POST request to an unexpected endpoint by persuading a victim to open a context menu.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 2215113    

Description Guilherme de Almeida Suckevicz 2023-06-14 16:42:52 UTC
In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.