CVE-2023-41932

Published: Sep 6, 2023Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.

Affected (1)

Products: Jenkins: Job Configuration History

1 product

Job Configuration History

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Job Configuration History	Up to 1227.v7a_79fc4dc01f

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (4)

http://www.openwall.com/lists/oss-security/2023/09/06/9

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2023/09/06/9

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.jenkins.io/security/advisory/2023-09-06/#SECURITY-3235

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.