First published: Wed Mar 08 2023(Updated: )
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework (usually through StaplerRequest#getFile) and MultipartFormDataParser in Jenkins. This allows attackers to cause a denial of service (DoS) by sending crafted requests to HTTP endpoints processing file uploads. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 limits the number of request parts to be processed to 1000. Specific endpoints receiving only simple form submissions have a lower limit.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.jenkins-ci.main:jenkins-core | >=2.376<2.387.1 | 2.387.1 |
maven/org.jenkins-ci.main:jenkins-core | >=2.388<2.394 | 2.394 |
maven/org.jenkins-ci.main:jenkins-core | <2.375.4 | 2.375.4 |
Jenkins Jenkins | <2.375.4 | |
Jenkins Jenkins | <2.394 | |
redhat/Jenkins | <2.394 | 2.394 |
redhat/LTS | <2.375.4 | 2.375.4 |
redhat/LTS | <2.387.1 | 2.387.1 |
redhat/jenkins | <0:2.387.3.1684911776-3.el8 | 0:2.387.3.1684911776-3.el8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-27900 is a vulnerability in Jenkins that allows attackers to trigger a denial of service by exploiting the Apache Commons FileUpload library.
Versions 2.393 and earlier, as well as LTS 2.375.3 and earlier, are affected by CVE-2023-27900.
To fix CVE-2023-27900, you should update Jenkins to version 2.394 or later.
Yes, there is a fix available for the LTS version of Jenkins. You should update to LTS 2.375.4 or later.
You can find more information about CVE-2023-27900 on the CVE website, NVD, Jenkins security advisory, and Red Hat Bugzilla.