Login Sign Up

CVE-2023-35141

8.0 HIGH
CSRF

📋 TL;DR

This is a Cross-Site Request Forgery (CSRF) vulnerability in Jenkins where insufficient URL escaping allows attackers to trick authenticated users into sending unauthorized POST requests by opening context menus. It affects Jenkins instances with version 2.399 or earlier, and LTS 2.387.3 or earlier.

💻 Affected Systems

Products:
  • Jenkins
Versions: Jenkins 2.399 and earlier, Jenkins LTS 2.387.3 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Jenkins installations within affected version ranges are vulnerable regardless of configuration.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could perform actions on behalf of authenticated users, potentially modifying configurations, creating/deleting jobs, or executing arbitrary code if combined with other vulnerabilities.

🟠

Likely Case

Attackers could trick users into performing unintended administrative actions like modifying job configurations or changing system settings.

🟢

If Mitigated

With proper CSRF protection and user awareness, impact is limited to actions within the user's permission scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires tricking an authenticated user into opening a malicious context menu, making it a client-side attack vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.400, Jenkins LTS 2.387.4

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3135

Restart Required: Yes

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.400 or Jenkins LTS 2.387.4 or later. 3. Restart Jenkins service. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Enable Strict CSRF Protection

all

Configure Jenkins to use strict CSRF protection which may help mitigate some attack vectors.

Set Java system property: -Dhudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID=true

🧯 If You Can't Patch

  • Implement network segmentation to restrict Jenkins access to trusted users only
  • Educate users about not clicking suspicious links or context menus in Jenkins

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.400 or higher (or LTS 2.387.4 or higher) and test context menu functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to unexpected endpoints
  • Multiple failed context menu load attempts

Network Indicators:

  • Unexpected POST requests from authenticated sessions to non-standard endpoints

SIEM Query:

source="jenkins.log" AND "POST" AND "contextMenu" AND status=200

📊 Metadata

CVE ID: CVE-2023-35141
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-352
Published: June 14, 2023
Last Updated: January 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35141, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)