tested as follows with 2.176.2 successfully:
wget -q --auth-no-challenge --user jheylen --password XXXXXX --output-document - 'http://jenkins/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
crumb=Jenkins-Crumb:1e7fe08f74e2ad6814e309af63986292
curl -X POST -H Jenkins-Crumb:1e7fe08f74e2ad6814e309af63986292 --silent --basic -u jheylen:XXXXXXX 'http://jenkins/me/descriptorByName/jenkins.security.ApiTokenProperty/generateNewToken?newTokenName=temp'
API_token=1103e007f9659c28d25ee...
But with 2.176.3, we get:
Sep 04, 2019 3:51:40 PM hudson.security.csrf.CrumbFilter doFilter
WARNING: Found invalid crumb 22bdf12008e1ee08ae29a897a00f669d. Will check remaining parameters for a valid one...
Sep 04, 2019 3:51:40 PM hudson.security.csrf.CrumbFilter doFilter
WARNING: No valid crumb was included in request for /descriptorByName/hudson.security.LDAPSecurityRealm$CacheConfiguration/fillTtlItems by jheylen. Returning 403.
for every crumb retrieved with above workflow.
Is this an issue in 2.176.3, or are we using the api/crumb in a wrong way?
Started getting this on my instance as well. In my case, changing my triggering code to maintain session cookies was sufficient to get it to work. Didn't find a "nice" way to do that with curl/wget though, so wound up switching to a perl based trigger. It seems like --cookie-jar SHOULD work, but didn't for me.
I believe it's related to this:
https://jenkins.io/security/advisory/2019-07-17/#SECURITY-626