HIGH✓ PATCH🇵🇱 Wersja polska

CVE-2023-43498

CVSS 8.1v3.1pub. 2023-09-20upd. 2024-11-21

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
  • Jenkins

    APP
    Jenkins
    < 2.414.2< 2.424
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
CI/CD
CWE
References

Related vulnerabilities

CVE-2024-23897CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Jenkins CLI – odczyt dowolnych plików przez path traversal bez uwierzytelnienia

CVE-2018-1000861CRITICAL9.8⚠ KEVten sam produkt

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...

CVE-2017-1000353CRITICAL9.8⚠ KEVten sam produkt

Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an unauthenticated remot...

CVE-2023-27898CRITICAL9.6ten sam produkt

Jenkins 2.270 through 2.393 (both inclusive), LTS 2.277.1 through 2.375.3 (both inclusive) does not escape the...

CVE-2021-21685CRITICAL9.1ten sam produkt

Jenkins 2.318 and earlier, LTS 2.303.2 and earlier does not check agent-to-controller access to create parent ...