CVE-2023-27900

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.393 and earlier Jenkins LTS versions 2.375.3 and earlier

Description The issue is related to the use of the Apache Commons FileUpload library without specifying limits for the number of request parts, allowing attackers to trigger a denial of service. This library is used to process uploaded files via the Stapler web framework and MultipartFormDataParser in Jenkins. Attackers can cause a denial of service by sending crafted requests to HTTP endpoints processing file uploads.

Recommendations For Jenkins versions 2.393 and earlier, update to version 2.394 or later to limit the number of request parts to be processed. For Jenkins LTS versions 2.375.3 and earlier, update to version 2.375.4 or later to limit the number of request parts to be processed. As a temporary workaround, consider restricting access to HTTP endpoints that process file uploads to minimize the risk of exploitation.