File Upload Vulnerability in Jenkins by CloudBees
CVE-2023-43498

8.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 20 September 2023

Summary

In Jenkins versions up to 2.423 and LTS version 2.414.1, an issue was identified where the MultipartFormDataParser handling file uploads can lead to the creation of temporary files with default system permissions. This may allow unauthorized access for attackers who gain access to the Jenkins controller filesystem, enabling them to potentially read and write these files before they are processed by the system.

Affected Version(s)

Jenkins 2.424

Jenkins 2.414.2 < 2.414.*

References

https://www.jenkins.io/security/advisory/2023-09-20/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/09/20/5

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Sep 19, 2023