CVE-2023-43497

Published: Sep 20, 2023Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Affected (2)

Products: Jenkins: Jenkins

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Jenkins Jenkins	Before 2.424
Jenkins Jenkins	Before 2.414.2

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

http://www.openwall.com/lists/oss-security/2023/09/20/5

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2023/09/20/5

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.