GHSA-46f2-x6h2-x9hx

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-46f2-x6h2-x9hx/GHSA-46f2-x6h2-x9hx.json

Aliases

• CVE-2023-32986

Published

2023-05-16T18:30:16Z

Modified

2023-05-25T17:05:15.031760Z

Details

Jenkins File Parameter Plugin 285.v757c5b67ac25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters.

This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

File Parameter Plugin 285.287.v4b7b29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-32986
• https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3123