CVE-2023-43498

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Published: Sep 20, 2023
Updated: May 10, 2024
CVE: CVE-2023-43498
GHSA: GHSA-hq87-h4jg-vxfw
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.main / jenkins-core	2.50	2.414.2
org.jenkins-ci.main / jenkins-core	2.415	2.424
jenkins / jenkins	-	2.424
jenkins / jenkins	-	2.414.2

http://www.openwall.com/lists/oss-security/2023/09/20/5
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073

Vulnerability Database

289,599

CVE-2023-43498