CVE-2023-35141

EPSS 0.09%
Veröffentlicht 14.06.2023 13:15:11
Zuletzt bearbeitet 02.01.2025 20:16:03
Quelle jenkinsci-cert@googlegroups.co
Teams Watchlist Login
Unerledigt Login

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Jenkins ≫ Jenkins SwEdition- Version < 2.400

Jenkins ≫ Jenkins SwEditionlts Version < 2.401.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.27

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://www.openwall.com/lists/oss-security/2023/06/14/5

Third Party Advisory

Mailing List

https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3135

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-35141

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-35141

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-35141

EUVD