CVE-2023-35141 Overview
CVE-2023-35141 is a Cross-Site Request Forgery (CSRF) vulnerability affecting Jenkins automation server versions 2.399 and earlier, as well as LTS 2.387.3 and earlier. The vulnerability exists in the context menu functionality where POST requests are sent to load context actions. When part of the URL contains insufficiently escaped user-provided values, an attacker can trick authenticated victims into sending POST requests to unintended endpoints simply by opening a context menu.
Critical Impact
This vulnerability allows attackers to perform unauthorized actions on behalf of authenticated Jenkins users by exploiting insufficient URL escaping in context menu requests. Successful exploitation could lead to unauthorized modifications to Jenkins configurations, builds, or credentials.
Affected Products
- Jenkins versions 2.399 and earlier (weekly releases)
- Jenkins LTS versions 2.387.3 and earlier
- All Jenkins deployments using context menu functionality
Discovery Timeline
- June 14, 2023 - CVE-2023-35141 published to NVD
- January 2, 2025 - Last updated in NVD database
Technical Details for CVE-2023-35141
Vulnerability Analysis
This vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The flaw resides in how Jenkins handles POST requests when loading context action lists. The core issue stems from insufficient input sanitization of user-provided values that become part of URLs used in context menu operations.
When a user interacts with Jenkins context menus, the application generates POST requests to retrieve available actions. If an attacker can influence part of the URL through user-controllable input, they can craft malicious links that, when combined with victim interaction (opening a context menu), cause the victim's browser to send authenticated POST requests to arbitrary endpoints within the Jenkins application.
This attack requires user interaction (the victim must click to open a context menu), but given the routine nature of context menu usage in Jenkins, this represents a realistic attack scenario.
Root Cause
The root cause of CVE-2023-35141 is improper input validation and insufficient URL encoding of user-supplied data. When constructing URLs for context menu POST requests, Jenkins fails to adequately escape special characters in user-provided values. This allows an attacker to manipulate the request endpoint by injecting URL path segments or parameters into the URL structure, effectively redirecting authenticated POST requests to unintended destinations within Jenkins.
Attack Vector
The attack is network-based and requires low privileges to execute. An attacker with some level of access to Jenkins can craft a malicious URL or page that, when accessed by a victim with higher privileges, triggers the vulnerability upon context menu interaction.
The attack flow involves:
- The attacker identifies a Jenkins endpoint that incorporates user-controllable values into context menu URLs
- The attacker crafts a malicious payload that escapes the intended URL context
- The victim, while authenticated to Jenkins, accesses the attacker-controlled content
- When the victim opens a context menu, a POST request is sent to an attacker-specified endpoint
- The request executes with the victim's credentials, potentially performing privileged operations
For detailed technical information, refer to the Jenkins Security Advisory #SECURITY-3135 and the Openwall OSS Security Post.
Detection Methods for CVE-2023-35141
Indicators of Compromise
- Unexpected POST requests to Jenkins administrative endpoints originating from context menu actions
- Unusual patterns in Jenkins audit logs showing administrative actions from user sessions during normal browsing
- Reports from users about unexpected Jenkins configuration changes or job modifications
- Presence of crafted URLs in web server logs containing URL-encoded payloads targeting context menu endpoints
Detection Strategies
- Review Jenkins access logs for POST requests with unusual URL patterns or unexpected endpoint access
- Monitor for requests containing URL-encoded characters that could indicate injection attempts in context menu paths
- Implement web application firewall (WAF) rules to detect CSRF patterns targeting Jenkins endpoints
- Enable and review Jenkins security audit logs for unauthorized configuration changes
Monitoring Recommendations
- Configure alerting for administrative actions performed without corresponding user interface navigation patterns
- Implement Content Security Policy (CSP) headers and monitor for violations
- Set up log correlation between user authentication events and subsequent privileged operations
- Monitor for rapid sequences of context menu loads followed by sensitive endpoint access
How to Mitigate CVE-2023-35141
Immediate Actions Required
- Upgrade Jenkins to version 2.400 or later for weekly releases
- Upgrade Jenkins LTS to version 2.387.4 or later
- Review recent administrative actions in Jenkins logs for unauthorized changes
- Consider restricting Jenkins access to trusted networks while awaiting patch deployment
Patch Information
Jenkins has addressed this vulnerability in versions 2.400 (weekly) and LTS 2.387.4 and later. The fix implements proper URL encoding and validation for user-provided values that appear in context menu URLs, preventing attackers from manipulating POST request destinations. Organizations should apply the patch as soon as possible following their standard change management procedures.
For complete patch details, see the Jenkins Security Advisory #SECURITY-3135.
Workarounds
- Restrict Jenkins access to trusted users and networks using firewall rules or VPN requirements
- Implement additional authentication layers such as multi-factor authentication for sensitive Jenkins operations
- Configure reverse proxy rules to validate and sanitize incoming requests to Jenkins
- Educate users about the risks of clicking links from untrusted sources while authenticated to Jenkins
# Example: Restrict Jenkins access to internal network only via iptables
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
