Symbolic Link Vulnerability in Jenkins CloudBees CD Plugin
CVE-2023-46655

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Cloudbees Cd Plugin
Vendor
CVE Published:
25 October 2023

Summary

The Jenkins CloudBees CD Plugin, up to version 1.1.32, contains a vulnerability that allows attackers to exploit symbolic links during the post-build step of publishing artifacts. This flaw enables a compromised job configuration to facilitate the publication of arbitrary files from the Jenkins controller's file system to the designated CloudBees CD server, potentially leading to significant security risks.

Affected Version(s)

Jenkins CloudBees CD Plugin 0 <= 1.1.32

References

https://www.jenkins.io/security/advisory/2023-10-25/#SECU...
vendor-advisory
http://www.openwall.com/lists/oss-security/2023/10/25/2

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.