CVE-2023-35141: Cross-Site Request Forgery (CSRF)

June 14, 2023 (updated June 23, 2023)

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

References

www.openwall.com/lists/oss-security/2023/06/14/5
nvd.nist.gov/vuln/detail/CVE-2023-35141
www.jenkins.io/security/advisory/2023-06-14/

Code Behaviors & Features

Detect and mitigate CVE-2023-35141 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →