CVE-2023-32986

Name of the Vulnerable Software and Affected Versions Jenkins File Parameter Plugin versions 285.v757c5b 67a c25 and earlier

Description The issue allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. This is due to the lack of restriction on the name and resulting uploaded file name of Stashed File Parameters.

Recommendations For versions 285.v757c5b 67a c25 and earlier, update to a version that restricts the name of Stashed File Parameters, such as version 285.287.v4b 7b 29d3469d, to prevent attackers from creating or replacing arbitrary files on the Jenkins controller file system.