CVE-2023-46654

HIGH

Jenkins CloudBees CD Plugin <1.1.32 - Privilege Escalation

Title source: llm

Description

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

References (2)

Core 2

Core References

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2023/10/25/2

Vendor Advisory vendor-advisory

https://www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3237

Scores

CVSS v3 8.1

EPSS 0.0012

EPSS Percentile 29.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-59

Status published

Products (2)

jenkins/cloudbees_cd < 1.1.32

org.jenkins-ci.plugins/electricflow 0 - 1.1.33Maven

Published Oct 25, 2023

Tracked Since Feb 18, 2026