Directory Deletion Vulnerability in Jenkins Job Configuration History Plugin
CVE-2023-41932

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Job Configuration History Plugin
Vendor: CVE Published:; 6 September 2023

Summary

The Jenkins Job Configuration History Plugin is affected by a vulnerability that allows attackers to exploit unrestricted 'timestamp' query parameters across multiple endpoints. This flaw enables unauthorized deletion of any directory specified by the attacker on the Jenkins controller file system, provided that it contains a file named 'history.xml'. This oversight poses a significant risk as it could lead to the loss of important job configuration history data.

Affected Version(s)

Jenkins Job Configuration History Plugin 0 <= 1227.v7a_79fc4dc01f

References

https://www.jenkins.io/security/advisory/2023-09-06/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/06/9

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 6, 2023
Vulnerability Reserved
Sep 5, 2023