CVE-2023-27899
First published: Wed Mar 08 2023(Updated: )
A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <0:2.401.1.1686831596-3.el8 | 0:2.401.1.1686831596-3.el8 |
| redhat/jenkins | <0:2.387.1.1680701869-1.el8 | 0:2.387.1.1680701869-1.el8 |
| <2.375.4 | ||
| <2.394 | ||
| Jenkins Jenkins | <2.375.4 | |
| Jenkins Jenkins | <2.394 | |
| redhat/Jenkins | <2.394 | 2.394 |
| redhat/LTS | <2.375.4 | 2.375.4 |
| redhat/LTS | <2.387.1 | 2.387.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-27899
- https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823
- https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27899.json
- https://github.com/jenkinsci/jenkins/commit/f39c11fa27b14923260c4c9b896f0f373e2a0a17
- https://github.com/advisories/GHSA-hf9h-vv4m-2f33 (Advisory)
- https://access.redhat.com/errata/RHSA-2023:1655
- https://access.redhat.com/security/cve/cve-2023-27899
- https://access.redhat.com/errata/RHSA-2023:3663
- https://bugzilla.redhat.com/show_bug.cgi?id=2177626
- https://www.cve.org/CVERecord?id=CVE-2023-27899 https://nvd.nist.gov/vuln/detail/CVE-2023-27899 https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-27899.
What is the severity of CVE-2023-27899?
The severity of CVE-2023-27899 is high.
How does CVE-2023-27899 affect Jenkins?
CVE-2023-27899 affects Jenkins versions 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1.
How can I fix CVE-2023-27899?
To fix CVE-2023-27899, update Jenkins to version 2.394 or above.
Where can I find more information about CVE-2023-27899?
You can find more information about CVE-2023-27899 at the following links: [CVE-2023-27899](https://www.cve.org/CVERecord?id=CVE-2023-27899), [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-27899), [Jenkins Security Advisory](https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2177626), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2023:3663).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- source/GitHub
- alias/GHSA-hf9h-vv4m-2f33
- alias/CVE-2023-27899
- agent/software-canonical-lookup
- collector/github-advisory-latest
- collector/mitre-cve
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/redhat-cve
- package-manager/maven
- vendor/jenkins
- canonical/jenkins jenkins
- package-manager/redhat