Cross-Site Request Forgery Vulnerability in Jenkins Blue Ocean Plugin by Jenkins
CVE-2023-40341

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Blue Ocean Plugin
Vendor: CVE Published:; 16 August 2023

Summary

A cross-site request forgery (CSRF) issue in the Jenkins Blue Ocean Plugin versions up to 1.27.5 enables attackers to exploit the plugin's functionality. By tricking users into making a request to an attacker-specified URL, this vulnerability can lead to unauthorized access to sensitive GitHub credentials associated with specific jobs in Jenkins. This poses significant risks for users who may inadvertently expose their credentials, allowing for potential misuse of access to repositories.

Affected Version(s)

Jenkins Blue Ocean Plugin 1.27.5.1

Jenkins Blue Ocean Plugin 1.27.4.1

References

https://www.jenkins.io/security/advisory/2023-08-16/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/08/16/3

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Aug 16, 2023
Vulnerability Reserved
Aug 14, 2023