PT-2023-6543 · Cloudbees+1 · Jenkins Cloudbees Cd Plugin+1

Andrea Chiera

Publicado

2023-10-25

Atualizado

2023-11-01

CVE-2023-46654

CVSS v2.0

8.5

Alta

Vetor

AV:N/AC:L/Au:S/C:N/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins CloudBees CD Plugin versions 1.1.32 and earlier

Description The issue is related to the handling of symbolic links during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step. This allows attackers who can configure jobs to delete arbitrary files on the Jenkins controller file system. The vulnerability is caused by the plugin following symbolic links to locations outside of the expected directory.

Recommendations For Jenkins CloudBees CD Plugin versions 1.1.32 and earlier, update to version 1.1.33 or later, which deletes symbolic links without following them, thus resolving the issue.

Correção

Link Following

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-59CWE-61CWE-22

Identificadores relacionados

BDU:2023-07305

CVE-2023-46654

GHSA-JX7X-RF3F-J644

Produtos afetados

Jenkins

Jenkins Cloudbees Cd Plugin

PT-2023-6543 · Cloudbees+1 · Jenkins Cloudbees Cd Plugin+1

CVE-2023-46654

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 13