8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-40336

CVE-2023-40336: Jenkins Folders Plugin cross-site request forgery vulnerability

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability.

This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts.

Folders Plugin 6.848.ve3b_fd7839a_81 requires POST requests for the affected HTTP endpoint.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-40336

CVE-2023-40336:

8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:cloudbees-folder	maven	< 6.848.ve3b	6.848.ve3b

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from missing HTTP method validation on an item copy endpoint. Jenkins security advisories explicitly state the fix required adding POST method enforcement. In Jenkins plugin architecture, HTTP handlers like doCopyItem in folder implementations would be annotated with @RequirePOST in patched versions. The vulnerable version lacked this security control, making this method the direct entry point for CSRF exploitation. The function name follows Jenkins' standard do[Action] pattern for HTTP endpoints in AbstractFolder implementations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-40336: Jenkins Folders Plugin cross-site request forgery vulnerability

CVE-2023-40336:

8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8

8

Technical Details

CVE-2023-40336: Jenkins Folders Plugin cross-site request forgery vulnerability

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI