CVE-2023-27903

2023-03-1021:15:15

Google

osv.dev

cve

jenkins

temporary files

file parameter

cli

security vulnerability

software

4.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

6.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.

CPENameOperatorVersion
jenkinseqjenkins-2.346
jenkinseqjenkins-1.582
jenkinseqchanges/294
jenkinseqjenkins-1.636
jenkinseqjenkins-1.613
jenkinseqjenkins-2.184
jenkinseqjenkins-2.115
jenkinseqbuilds/98
jenkinseqjenkins-2.325
jenkinseqjenkins-1.469

Name	Operator	Version
jenkins	eq	jenkins-2.346
jenkins	eq	jenkins-1.582
jenkins	eq	changes/294
jenkins	eq	jenkins-1.636
jenkins	eq	jenkins-1.613
jenkins	eq	jenkins-2.184
jenkins	eq	jenkins-2.115
jenkins	eq	builds/98
jenkins	eq	jenkins-2.325
jenkins	eq	jenkins-1.469