Symbolic Link Vulnerability in Jenkins CloudBees CD Plugin
CVE-2023-46655

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Cloudbees Cd Plugin
Vendor: CVE Published:; 25 October 2023

What is CVE-2023-46655?

The Jenkins CloudBees CD Plugin, up to version 1.1.32, contains a vulnerability that allows attackers to exploit symbolic links during the post-build step of publishing artifacts. This flaw enables a compromised job configuration to facilitate the publication of arbitrary files from the Jenkins controller's file system to the designated CloudBees CD server, potentially leading to significant security risks.

Affected Version(s)

Jenkins CloudBees CD Plugin 0 <= 1.1.32

References

https://www.jenkins.io/security/advisory/2023-10-25/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/10/25/2

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Oct 24, 2023