Jenkins, an open source server for automating software development, this week released patches for various plugins affected by high- and medium-severity vulnerabilities. The Folders, Flaky Test Handler, and Shortcut Job plugins each have three serious cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities that the fixes fix.
The first flaw, identified as CVE-2023-40336, occurs because the Folders plugin in versions 6.846.v23698686f0f6 and earlier does not need POST requests for an HTTP endpoint, resulting in CSRF. Jenkins states in an alert that “this vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.”