CVE-2023-43498

LOW3.6EPSS 0.14%

Jenkins temporary uploaded file created with insecure permissions

Published: 9/20/2023Modified: 4/3/2025

Description

In Jenkins LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Affected packages (2)

Bitnami/jenkinsfrom 0, < 2.424.0
Maven/org.jenkins-ci.main:jenkins-core>= 2.50, < 2.414.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.6	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-43498
WEBhttps://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073
WEBhttp://www.openwall.com/lists/oss-security/2023/09/20/5