CVE-2023-27900
First published: Wed Mar 08 2023(Updated: )
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework (usually through StaplerRequest#getFile) and MultipartFormDataParser in Jenkins. This allows attackers to cause a denial of service (DoS) by sending crafted requests to HTTP endpoints processing file uploads. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 limits the number of request parts to be processed to 1000. Specific endpoints receiving only simple form submissions have a lower limit.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.main:jenkins-core | >=2.376<2.387.1 | 2.387.1 |
| maven/org.jenkins-ci.main:jenkins-core | >=2.388<2.394 | 2.394 |
| maven/org.jenkins-ci.main:jenkins-core | <2.375.4 | 2.375.4 |
| Jenkins Jenkins | <2.375.4 | |
| Jenkins Jenkins | <2.394 | |
| redhat/Jenkins | <2.394 | 2.394 |
| redhat/LTS | <2.375.4 | 2.375.4 |
| redhat/LTS | <2.387.1 | 2.387.1 |
| redhat/jenkins | <0:2.387.3.1684911776-3.el8 | 0:2.387.3.1684911776-3.el8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-27900
- https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030
- https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27900.json
- https://github.com/jenkinsci/jenkins/commit/b70f4cb5892bd6059a45b5f156f019ce572adb08
- https://github.com/advisories/GHSA-frgr-c5f2-8qhh (Advisory)
- https://access.redhat.com/security/cve/CVE-2023-24998
- https://access.redhat.com/errata/RHSA-2023:3299
- https://access.redhat.com/security/cve/cve-2023-27900
- https://bugzilla.redhat.com/show_bug.cgi?id=2177638
- https://www.cve.org/CVERecord?id=CVE-2023-27900 https://nvd.nist.gov/vuln/detail/CVE-2023-27900 https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030
Frequently Asked Questions
What is CVE-2023-27900?
CVE-2023-27900 is a vulnerability in Jenkins that allows attackers to trigger a denial of service by exploiting the Apache Commons FileUpload library.
What versions of Jenkins are affected by CVE-2023-27900?
Versions 2.393 and earlier, as well as LTS 2.375.3 and earlier, are affected by CVE-2023-27900.
How can I fix CVE-2023-27900 in Jenkins?
To fix CVE-2023-27900, you should update Jenkins to version 2.394 or later.
Is there a fix available for the LTS version of Jenkins?
Yes, there is a fix available for the LTS version of Jenkins. You should update to LTS 2.375.4 or later.
Where can I find more information about CVE-2023-27900?
You can find more information about CVE-2023-27900 on the CVE website, NVD, Jenkins security advisory, and Red Hat Bugzilla.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory-latest
- alias/GHSA-frgr-c5f2-8qhh
- alias/CVE-2023-27900
- collector/mitre-cve
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/redhat-cve
- package-manager/maven
- vendor/jenkins
- canonical/jenkins jenkins
- package-manager/redhat