CVE-2023-27903

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.393 and earlier Jenkins LTS versions 2.375.3 and earlier

Description The issue arises when uploading a file parameter through the CLI, as Jenkins creates a temporary file in the default temporary directory with default permissions for newly created files. This potentially allows attackers with access to the Jenkins controller file system to read and write the file before it is used. The vulnerability primarily affects operating systems that use a shared temporary directory for all users, such as Linux. Typically, the default permissions only allow attackers to read the temporary file.

Recommendations For Jenkins versions 2.393 and earlier, update to version 2.394 or later to resolve the issue. For Jenkins LTS versions 2.375.3 and earlier, update to version 2.375.4 or later to resolve the issue. As a temporary workaround for affected versions, consider setting a different path as the default temporary directory using the Java system property java.io.tmpdir.