CVE-2023-27903

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.

Published: Mar 10, 2023
Updated: May 9, 2024
CVE: CVE-2023-27903
GHSA: GHSA-584m-7r4m-8j6v
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.4
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWEs:

CWE-863

Affected Software
References

Software	From	Fixed in
jenkins / jenkins	-	2.394
jenkins / jenkins	-	2.375.4
org.jenkins-ci.main / jenkins-core	-	2.375.4
org.jenkins-ci.main / jenkins-core	2.376	2.387.1
org.jenkins-ci.main / jenkins-core	2.388	2.394

https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27903.json
https://github.com/jenkinsci/jenkins/commit/554587b06db553ce35fa362d7a0b0aef33a57afb
https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3058

Vulnerability Database

289,599

CVE-2023-27903