PT-2023-24119 · Jenkins · Jenkins File Parameter Plugin+1
Atorralba
+1
·
Published
2023-05-16
·
Updated
2023-05-25
·
CVE-2023-32986
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins File Parameter Plugin versions 285.v757c5b 67a c25 and earlier
Description
The issue allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. This is due to the lack of restriction on the name and resulting uploaded file name of Stashed File Parameters.
Recommendations
For versions 285.v757c5b 67a c25 and earlier, update to a version that restricts the name of Stashed File Parameters, such as version 285.287.v4b 7b 29d3469d, to prevent attackers from creating or replacing arbitrary files on the Jenkins controller file system.
Fix
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins File Parameter Plugin