CVE-2023-43498

8.1HIGH

Key Information

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 20 September 2023

Summary

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Affected Version(s)

Jenkins <= 2.424

Jenkins >= 2.424

Jenkins >= 2.414.*

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Sep 20, 2023
Vulnerability Reserved.
Sep 19, 2023

Collectors

NVD DatabaseMitre Database