CVE-2023-40341

Name of the Vulnerable Software and Affected Versions Jenkins Blue Ocean Plugin versions 1.27.5 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to connect to an attacker-specified URL, capturing GitHub credentials associated with an attacker-specified job. This issue is due to an incomplete fix and results from not requiring POST requests for an HTTP endpoint. The vulnerability enables attackers to exploit the HTTP endpoint and capture sensitive information.

Recommendations For Jenkins Blue Ocean Plugin versions 1.27.5 and earlier, update to a version that includes the complete fix for the issue, such as version 1.27.5.1, which uses the configured SCM URL instead of a user-specified URL. As a temporary workaround, consider restricting access to the vulnerable HTTP endpoint until a patch is applied.