Description
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/20/5
Vendor Advisory vendor-advisory
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073
Scores
CVSS v3
8.1
EPSS
0.0009
EPSS Percentile
25.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (3)
jenkins/jenkins
< 2.414.2
jenkins/jenkins
< 2.424
org.jenkins-ci.main/jenkins-core
2.50 - 2.414.2Maven
Published
Sep 20, 2023
Tracked Since
Feb 18, 2026