GHSA-46f2-x6h2-x9hx
Suggest an improvement- Source
- https://github.com/advisories/GHSA-46f2-x6h2-x9hx
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-46f2-x6h2-x9hx/GHSA-46f2-x6h2-x9hx.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-46f2-x6h2-x9hx
- Aliases
-
- CVE-2023-32986
- Published
- 2023-05-16T18:30:16Z
- Modified
- 2024-02-16T08:15:28.641092Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Jenkins File Parameter Plugin arbitrary file write vulnerability
- Details
-
Jenkins File Parameter Plugin 285.v757c5b67ac25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters.
This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
File Parameter Plugin 285.287.v4b7b29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.
- Database specific
{ "github_reviewed": true, "nvd_published_at": "2023-05-16T16:15:11Z", "github_reviewed_at": "2023-05-17T03:07:51Z", "severity": "HIGH", "cwe_ids": [ "CWE-732" ] }- References
Affected packages
Maven / io.jenkins.plugins:file-parameters
Package
- Name
- io.jenkins.plugins:file-parameters
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/file-parameters
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed285.287.v4b
Affected versions
89.*
89.376eab01f493
90.*
90.71fea1303c13
91.*
91.096d3d7d175c
92.*
92.9c5d5a9ffc54
93.*
93.6ebaad75ae3b
99.*
99.fec41d2457a7
99.102.vbc6a133bcbbb
110.*
110.vbe06c86f5235
146.*
146.v7d35212829d0
191.*
191.v35851c9e7a_5a_
205.*
205.vf6ce13b_e5dee
264.*
264.v1733d9b_2a_380
285.*
285.v757c5b_67a_c25