CVE-2023-43498

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.423 and earlier, LTS versions 2.414.1 and earlier

Description The issue is related to the creation of temporary files with insecure permissions when processing file uploads using MultipartFormDataParser. This could potentially allow attackers with access to the Jenkins controller file system to read and write the files before they are used. The vulnerability is particularly relevant on operating systems that use a shared temporary directory for all users, such as Linux. However, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.

Recommendations For Jenkins versions 2.423 and earlier, LTS versions 2.414.1 and earlier, update to Jenkins 2.424 or LTS 2.414.2, which creates temporary files in a subdirectory with more restrictive permissions. As a temporary workaround for those unable to immediately update Jenkins, consider changing the default temporary-file directory using the Java system property java.io.tmpdir.