CVE-2023-35141: 
Java vulnerability analysis and mitigation

A CSRF protection bypass vulnerability (CVE-2023-35141) was discovered in Jenkins versions 2.399 and earlier, as well as LTS 2.387.3 and earlier. The vulnerability was disclosed on June 14, 2023, affecting the core Jenkins application. This high-severity vulnerability, with a CVSS score of 8.0, involves the context menu functionality for various UI elements like links to jobs, builds, and breadcrumbs (Jenkins Advisory, Security Online).

The vulnerability stems from the way Jenkins handles POST requests when loading context action lists. When part of the URL contains insufficiently escaped user-provided values, the system becomes vulnerable to manipulation. The issue specifically affects context menu URLs for label expressions, where POST requests are sent to load the list of context actions. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow an attacker to trick victims into sending POST requests to unexpected endpoints, such as the Script Console, simply by having them open a context menu. The vulnerability is particularly concerning for users with Item/Configure permissions, as they could be targeted to perform unauthorized actions on the system (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.400 and LTS 2.401.1. In these updated versions, the system now sends GET requests instead of POST requests to load the list of context actions, effectively mitigating the CSRF protection bypass vulnerability. Users are strongly advised to upgrade to these newer versions to protect their systems (Jenkins Advisory).