First published: Wed Sep 20 2023(Updated: )
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Jenkins | <2.414.2 | |
Jenkins Jenkins | <2.424 | |
maven/org.jenkins-ci.main:jenkins-core | >=2.415<2.424 | 2.424 |
maven/org.jenkins-ci.main:jenkins-core | >=2.50<2.414.2 | 2.414.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-43498 is a vulnerability in Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, where uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with default permissions for newly created files.
The severity of CVE-2023-43498 is high, with a CVSSv3 score of 8.1.
CVE-2023-43498 affects Jenkins versions 2.423 and earlier, LTS 2.414.1 and earlier.
To fix CVE-2023-43498, upgrade to Jenkins 2.424 or later, or LTS 2.414.2 or later.
You can find more information about CVE-2023-43498 at the following references: [1] http://www.openwall.com/lists/oss-security/2023/09/20/5, [2] https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073, [3] https://nvd.nist.gov/vuln/detail/CVE-2023-43498