CVE-2023-46654

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:S/C:N/I:C/A:C

Name of the Vulnerable Software and Affected Versions Jenkins CloudBees CD Plugin versions 1.1.32 and earlier

Description The issue is related to the handling of symbolic links during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step. This allows attackers who can configure jobs to delete arbitrary files on the Jenkins controller file system. The vulnerability is caused by the plugin following symbolic links to locations outside of the expected directory.

Recommendations For Jenkins CloudBees CD Plugin versions 1.1.32 and earlier, update to version 1.1.33 or later, which deletes symbolic links without following them, thus resolving the issue.

Fix

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-61CWE-22

Related Identifiers

BDU:2023-07305

CVE-2023-46654

GHSA-JX7X-RF3F-J644

Affected Products

Jenkins

Jenkins Cloudbees Cd Plugin

CVE-2023-46654

Weakness Enumeration

Related Identifiers

Affected Products

References · 13