CVE-2023-43497

LOW3.6EPSS 0.09%

Jenkins temporary uploaded file created with insecure permissions

發布日:2023/9/20修改日:2025/4/3

描述

In Jenkins LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

受影響套件(2)

Bitnami/jenkinsfrom 0, < 2.424.0
Maven/org.jenkins-ci.main:jenkins-core>= 2.50, < 2.414.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.6	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-43497
WEBhttps://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073
WEBhttp://www.openwall.com/lists/oss-security/2023/09/20/5