File Deletion Vulnerability in Jenkins Scriptler Plugin by Jenkins
CVE-2023-50764

8.1HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Scriptler Plugin
Vendor: CVE Published:; 13 December 2023

Summary

The Jenkins Scriptler Plugin prior to version 342.v6a_89fd40f466 lacks proper validation of the file name query parameter in an HTTP endpoint. This vulnerability can be exploited by users with Scriptler/Configure permission, enabling them to delete arbitrary files from the Jenkins controller's file system, potentially leading to critical data loss and disruption of service.

Affected Version(s)

Jenkins Scriptler Plugin 0 <= 342.v6a_89fd40f466

References

https://www.jenkins.io/security/advisory/2023-12-13/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/12/13/4

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 13, 2023
Vulnerability Reserved
Dec 13, 2023