First published: Wed Sep 20 2023(Updated: )
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Jenkins | <2.414.2 | |
Jenkins Jenkins | <2.424 | |
<2.414.2 | ||
<2.424 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-43496 is a vulnerability in Jenkins where it creates a temporary file with insecure permissions.
CVE-2023-43496 can be exploited by an attacker with access to the system temporary directory, allowing them to modify or replace the temporary file.
CVE-2023-43496 has a severity rating of 8.8 (high).
To fix CVE-2023-43496, upgrade Jenkins to version 2.424 or higher.
Yes, you can find references for CVE-2023-43496 at the following links: [link1](http://www.openwall.com/lists/oss-security/2023/09/20/5), [link2](https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072), [link3](https://nvd.nist.gov/vuln/detail/CVE-2023-43496)