Vulnerability Description
Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, potentially allowing attackers with access to the system temporary directory to replace the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | < 2.414.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/09/20/5Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072Vendor Advisory
- http://www.openwall.com/lists/oss-security/2023/09/20/5Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072Vendor Advisory
FAQ
What is CVE-2023-43496?
CVE-2023-43496 is a vulnerability with a CVSS score of 8.8 (HIGH). Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates a temporary file in the system temporary directory with the default permissions for newly created files when installing a plugin from a URL, ...
How severe is CVE-2023-43496?
CVE-2023-43496 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-43496?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.