CVE-2023-27903

2023-03-1021:15:15

CWE-863

[email protected]

web.nvd.nist.gov

187

cve-2023-27903

jenkins

lts

temporary file

default permissions

file parameter

cli

security vulnerability

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

4.7 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.

Affected configurations

NVD

Node

jenkinsjenkinsRange<2.375.4lts

jenkinsjenkinsRange<2.394-

CPENameOperatorVersion
jenkins:jenkinsjenkinslt2.375.4
jenkins:jenkinsjenkinslt2.394

CPE	Name	Operator	Version
jenkins:jenkins	jenkins	lt	2.375.4
jenkins:jenkins	jenkins	lt	2.394

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Jenkins",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThan": "*",
        "status": "unaffected",
        "version": "2.394",
        "versionType": "maven"
      },
      {
        "lessThan": "2.375.*",
        "status": "unaffected",
        "version": "2.375.4",
        "versionType": "maven"
      },
      {
        "lessThan": "2.387.*",
        "status": "unaffected",
        "version": "2.387.1",
        "versionType": "maven"
      }
    ]
  }
]