Symbolic Link Vulnerability in Jenkins CloudBees CD Plugin
CVE-2023-46654

8.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Cloudbees Cd Plugin
Vendor: CVE Published:; 25 October 2023

What is CVE-2023-46654?

The Jenkins CloudBees CD Plugin version 1.1.32 and earlier is susceptible to a vulnerability where symbolic links can be followed to unauthorized locations during the cleanup phase of the 'CloudBees CD - Publish Artifact' post-build step. This flaw enables attackers with the ability to configure jobs to execute commands that may lead to the deletion of arbitrary files from the Jenkins controller filesystem, potentially compromising the security and integrity of the system.

Affected Version(s)

Jenkins CloudBees CD Plugin 0 <= 1.1.32

References

https://www.jenkins.io/security/advisory/2023-10-25/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/10/25/2

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Oct 24, 2023