Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 908516 (CVE-2023-35141) - <dev-util/jenkins-bin-2.401.1: CSRF bypass
Summary: <dev-util/jenkins-bin-2.401.1: CSRF bypass
Alias: CVE-2023-35141
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on:
Reported: 2023-06-15 05:27 UTC by John Helmert III
Modified: 2023-06-18 23:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-15 05:27:10 UTC

In Jenkins 2.399 and earlier, LTS 2.387.3 and earlier, POST requests are sent in order to load the list of context actions. If part of the URL includes insufficiently escaped user-provided values, a victim may be tricked into sending a POST request to an unexpected endpoint by opening a context menu.

Please bump.
Comment 1 Hans de Graaff gentoo-dev Security 2023-06-16 04:50:15 UTC
jenkins-bin 2.410 has been added and vulnerable versions have been removed.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-18 23:40:05 UTC