CVE-2023-43497

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Published: Sep 20, 2023
Updated: May 10, 2024
CVE: CVE-2023-43497
GHSA: GHSA-qv64-w99c-qcr9
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.main / jenkins-core	2.50	2.414.2
org.jenkins-ci.main / jenkins-core	2.415	2.424
jenkins / jenkins	-	2.424
jenkins / jenkins	-	2.414.2

http://www.openwall.com/lists/oss-security/2023/09/20/5
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073

Vulnerability Database

289,599

CVE-2023-43497