CVE-2023-27901
First published: Wed Mar 08 2023(Updated: )
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.main:jenkins-core | >=2.376<2.387.1 | 2.387.1 |
| maven/org.jenkins-ci.main:jenkins-core | >=2.388<2.394 | 2.394 |
| maven/org.jenkins-ci.main:jenkins-core | <2.375.4 | 2.375.4 |
| <2.375.4 | ||
| <2.394 | ||
| Jenkins Jenkins | <2.375.4 | |
| Jenkins Jenkins | <2.394 | |
| redhat/Jenkins | <2.394 | 2.394 |
| redhat/LTS | <2.375.4 | 2.375.4 |
| redhat/LTS | <2.387.1 | 2.387.1 |
| redhat/jenkins | <0:2.387.3.1684911776-3.el8 | 0:2.387.3.1684911776-3.el8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-27901
- https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030
- https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27901.json
- https://github.com/jenkinsci/jenkins/commit/b70f4cb5892bd6059a45b5f156f019ce572adb08
- https://github.com/advisories/GHSA-h76p-mc68-jv3p (Advisory)
- https://access.redhat.com/security/cve/CVE-2023-24998
- https://access.redhat.com/errata/RHSA-2023:3299
- https://access.redhat.com/security/cve/cve-2023-27901
- https://bugzilla.redhat.com/show_bug.cgi?id=2177646
- https://www.cve.org/CVERecord?id=CVE-2023-27901 https://nvd.nist.gov/vuln/detail/CVE-2023-27901 https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030
Frequently Asked Questions
What is CVE-2023-27901?
CVE-2023-27901 is a vulnerability in Jenkins that allows attackers to trigger a denial of service (DoS) attack.
What is the severity of CVE-2023-27901?
CVE-2023-27901 has a severity rating of 7.5 (high).
How does CVE-2023-27901 affect Jenkins?
CVE-2023-27901 affects versions of Jenkins up to 2.393 and LTS 2.375.3. It uses the Apache Commons FileUpload library without specifying limits for the number of request parts, allowing attackers to trigger a denial of service.
How can I fix CVE-2023-27901?
You can fix CVE-2023-27901 by updating Jenkins to version 2.394 or LTS to version 2.375.4.
Where can I find more information about CVE-2023-27901?
You can find more information about CVE-2023-27901 on the CVE website, NVD website, Jenkins Security Advisory, and Red Hat Bugzilla.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- source/GitHub
- alias/GHSA-h76p-mc68-jv3p
- alias/CVE-2023-27901
- agent/software-canonical-lookup
- collector/github-advisory-latest
- collector/mitre-cve
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- collector/redhat-cve
- package-manager/maven
- vendor/jenkins
- canonical/jenkins jenkins
- package-manager/redhat