CVE-2023-40341

Root

Cause

Jenkins Blue Ocean Plugin versions 1.27.5 and earlier contain a cross-site request forgery (CSRF) vulnerability. The plugin does not require a POST request for the affected HTTP endpoint, allowing an attacker to craft a malicious link or script that, when executed by an authenticated Jenkins user, triggers an unintended action without the user's consent [1][3].

Exploitation

To exploit this CSRF vulnerability, an attacker needs to lure a Jenkins administrator or user with appropriate permissions to click a crafted link or visit a malicious page while logged into Jenkins. The attack can connect the victim's Jenkins instance to an attacker-specified URL, which is used to capture GitHub credentials associated with an attacker-specified job [1][2]. No additional authentication is required beyond the victim's existing session.

Impact

Successful exploitation allows an attacker to steal GitHub credentials linked to a specific job defined by the attacker. These credentials could then be reused for unauthorized access to GitHub repositories or other resources, potentially leading to further compromise of the software development lifecycle [1][3].

Mitigation

The vulnerability is fixed in Blue Ocean Plugin version 1.27.5.1, which enforces POST requests on the vulnerable endpoint [1][2]. Users should update to this version or later. No workaround is available; upgrading the plugin is the only complete remediation.