CVE-2023-43497

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.423 and earlier, LTS 2.414.1 and earlier

Description The issue is related to the processing of file uploads using the Stapler web framework, which creates temporary files in the default system temporary directory with the default permissions for newly created files. This potentially allows attackers with access to the Jenkins controller file system to read and write the files before they are used. The vulnerability is more significant on operating systems that use a shared temporary directory for all users, typically Linux. However, the default permissions generally only allow attackers to read the temporary file, not write to it.

Recommendations For Jenkins versions 2.423 and earlier, LTS 2.414.1 and earlier, update to Jenkins 2.424, LTS 2.414.2 or later, which creates temporary files in a subdirectory with more restrictive permissions. As a temporary workaround for those unable to immediately update Jenkins, consider changing the default temporary-file directory using the Java system property java.io.tmpdir.