CVE-2023-35141

EPSS 0.09%
Published 14.06.2023 13:15:11
Last modified 02.01.2025 20:16:03
Source jenkinsci-cert@googlegroups.co
Teams watchlist Login
Open Login

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Jenkins ≫ Jenkins SwEdition- Version < 2.400

Jenkins ≫ Jenkins SwEditionlts Version < 2.401.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.27

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	8	2.1	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

http://www.openwall.com/lists/oss-security/2023/06/14/5

Third Party Advisory

Mailing List

https://www.jenkins.io/security/advisory/2023-06-14/#SECURITY-3135

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-35141

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-35141

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-35141

EUVD