Vulnerability Description
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Jenkins | < 2.414.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/09/20/5Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073Vendor Advisory
- http://www.openwall.com/lists/oss-security/2023/09/20/5Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073Vendor Advisory
FAQ
What is CVE-2023-43497?
CVE-2023-43497 is a vulnerability with a CVSS score of 8.1 (HIGH). In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permis...
How severe is CVE-2023-43497?
CVE-2023-43497 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-43497?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Jenkins.