CVE-2023-27899
HIGHJenkins < 2.375.4, < 2.394, 2.376-2.387.1 - Arbitrary Code Execution via Plugin Upload Temporary File
Title source: llmDescription
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823
Scores
CVSS v3
7.0
EPSS
0.0005
EPSS Percentile
15.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (3)
jenkins/jenkins
< 2.375.4
jenkins/jenkins
< 2.394
org.jenkins-ci.main/jenkins-core
2.376 - 2.387.1Maven
Published
Mar 10, 2023
Tracked Since
Feb 18, 2026