GHSA-hf9h-vv4m-2f33

Suggest an improvement
Source
https://github.com/advisories/GHSA-hf9h-vv4m-2f33
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-hf9h-vv4m-2f33/GHSA-hf9h-vv4m-2f33.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hf9h-vv4m-2f33
Aliases
Related
Published
2023-03-10T21:30:19Z
Modified
2024-02-16T08:20:14.850852Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Incorrect Authorization in Jenkins Core
Details

Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer.

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 creates this temporary file in the system temporary directory with the default permissions for newly created files.

If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.

This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allows attackers to read the temporary file. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 creates the temporary file with more restrictive permissions.

As a workaround, you can set a different path as your default temporary directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.

Database specific
{
    "nvd_published_at": "2023-03-10T21:15:00Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-17T14:45:00Z"
}
References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.376
Fixed
2.387.1

Affected versions

2.*

2.376
2.377
2.378
2.379
2.380
2.381
2.382
2.383
2.384
2.385
2.386
2.387

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.375.4

Affected versions

1.*

1.396
1.397
1.398
1.399
1.400
1.401
1.403
1.404
1.405
1.406
1.407
1.408
1.409
1.409.1
1.409.2
1.409.3
1.410
1.411
1.412
1.413
1.414
1.415
1.416
1.417
1.418
1.419
1.420
1.421
1.422
1.423
1.424
1.424.1
1.424.2
1.424.3
1.424.4
1.424.5
1.424.6
1.425
1.426
1.427
1.428
1.429
1.430
1.431
1.432
1.433
1.434
1.435
1.436
1.437
1.438
1.439
1.440
1.441
1.442
1.443
1.444
1.445
1.446
1.447
1.447.1
1.447.2
1.448
1.449
1.450
1.451
1.452
1.453
1.454
1.455
1.456
1.457
1.458
1.459
1.460
1.461
1.462
1.463
1.464
1.465
1.466
1.466.1
1.466.2
1.467
1.468
1.469
1.470
1.471
1.472
1.473
1.474
1.475
1.476
1.477
1.478
1.479
1.480
1.480.1
1.480.2
1.480.3
1.481
1.482
1.483
1.484
1.485
1.486
1.487
1.488
1.489
1.490
1.491
1.492
1.493
1.494
1.495
1.496
1.497
1.498
1.499
1.500
1.501
1.502
1.503
1.504
1.505
1.506
1.507
1.508
1.509
1.509.1
1.509.2
1.509.2.JENKINS-8856-diag
1.509.2.JENKINS-14362-jzlib
1.509.3
1.509.3.JENKINS-14362-jzlib
1.509.4
1.510
1.511
1.512
1.513
1.514
1.515
1.516
1.516.JENKINS-14362-jzlib
1.517
1.518
1.518.JENKINS-14362-jzlib
1.519
1.520
1.521
1.522
1.523
1.524
1.525
1.526
1.527
1.528
1.529
1.530
1.531
1.532
1.532.1
1.532.1.JENKINS-19453
1.532.2
1.532.2.JENKINS-21622-diag
1.532.2.JENKINS-22395-diag
1.532.3
1.532.3.JENKINS-22395
1.532.3.JENKINS-22395-2
1.533
1.534
1.535
1.536
1.537
1.538
1.539
1.540
1.541
1.542
1.543
1.544
1.545
1.546
1.547
1.548
1.549
1.550
1.551
1.552
1.553
1.554
1.554.1
1.554.2
1.554.3
1.554.3.JENKINS-18065-ALLRM-all
1.554.3.JENKINS-18065-JENKINS-23945
1.555
1.556
1.557
1.558
1.559
1.560
1.561
1.562
1.563
1.564
1.565
1.565.1
1.565.1.JENKINS-22395-dropLinks
1.565.2
1.565.3
1.566
1.567
1.568
1.569
1.570
1.571
1.572
1.573
1.574
1.575
1.576
1.577
1.578
1.579
1.580
1.580.1
1.580.2
1.580.3
1.581
1.582
1.583
1.584
1.585
1.586
1.587
1.588
1.589
1.590
1.591
1.592
1.593
1.594
1.595
1.596
1.596.1
1.596.2
1.596.3
1.597
1.598
1.599
1.600
1.601
1.602
1.604
1.605
1.606
1.607
1.608
1.609
1.609.1
1.609.2
1.609.3
1.610
1.611
1.612
1.613
1.614
1.615
1.616
1.617
1.618
1.619
1.620
1.621
1.622
1.623
1.624
1.625
1.625.1
1.625.2
1.625.3
1.626
1.627
1.628
1.629
1.630
1.631
1.632
1.633
1.634
1.635
1.636
1.637
1.638
1.639
1.640
1.641
1.642
1.642.1
1.642.2
1.642.3
1.642.4
1.643
1.644
1.645
1.646
1.647
1.648
1.649
1.650
1.651
1.651.1
1.651.2
1.651.3
1.652
1.653
1.654
1.655
1.656
1.657
1.658

2.*

2.0-alpha-1
2.0-alpha-2
2.0-alpha-3
2.0-alpha-4
2.0-beta-1
2.0-beta-2
2.0-rc-1
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.7.1
2.7.2
2.7.3
2.7.4
2.8
2.9
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
2.19
2.19.1
2.19.2
2.19.3
2.19.4
2.20
2.21
2.22
2.23
2.24
2.25
2.26
2.27
2.28
2.29
2.30
2.31
2.32
2.32.1
2.32.2
2.32.3
2.33
2.34
2.35
2.36
2.37
2.38
2.39
2.40
2.41
2.42
2.43
2.44
2.45
2.46
2.46.1
2.46.2
2.46.3
2.47
2.48
2.49
2.50
2.51
2.52
2.53
2.54
2.55
2.56
2.57
2.58
2.59
2.60
2.60.1
2.60.2
2.60.3
2.61
2.62
2.63
2.64
2.65
2.66
2.67
2.68
2.69
2.70
2.71
2.72
2.73
2.73.1
2.73.2
2.73.3
2.74
2.75
2.76
2.77
2.78
2.79
2.80
2.81
2.82
2.83
2.84
2.85
2.86
2.87
2.88
2.89
2.89.1
2.89.2
2.89.3
2.89.4
2.90
2.91
2.92
2.93
2.94
2.95
2.96
2.97
2.98
2.99
2.100
2.101
2.102
2.103
2.104
2.105
2.106
2.107
2.107.1
2.107.2
2.107.3
2.108
2.109
2.110
2.111
2.112
2.113
2.114
2.115
2.116
2.117
2.118
2.119
2.120
2.121
2.121.1
2.121.2
2.121.3
2.122
2.123
2.124
2.125
2.126
2.127
2.128
2.129
2.130
2.131
2.132
2.133
2.134
2.135
2.136
2.137
2.138
2.138.1
2.138.2
2.138.3
2.138.4
2.140
2.141
2.142
2.143
2.144
2.145
2.146
2.147
2.148
2.149
2.150
2.150.1
2.150.2
2.150.3
2.151
2.152
2.153
2.154
2.155
2.156
2.157
2.158
2.159
2.160
2.161
2.162
2.163
2.164
2.164.1
2.164.2
2.164.3
2.165
2.166
2.167
2.168
2.169
2.170
2.171
2.172
2.173
2.174
2.175
2.176
2.176.1
2.176.2
2.176.3
2.176.4
2.177
2.178
2.179
2.180
2.181
2.182
2.183
2.184
2.185
2.186
2.187
2.189
2.190
2.190.1
2.190.2
2.190.3
2.191
2.192
2.193
2.194
2.195
2.196
2.197
2.198
2.199
2.200
2.201
2.202
2.203
2.204
2.204.1
2.204.2
2.204.3
2.204.4
2.204.5
2.204.6
2.205
2.206
2.207
2.208
2.209
2.210
2.211
2.212
2.213
2.214
2.215
2.216
2.217
2.218
2.219
2.220
2.221
2.222
2.222.1
2.222.3
2.222.4
2.223
2.224
2.225
2.226
2.227
2.228
2.229
2.230
2.231
2.232
2.233
2.234
2.235
2.235.1
2.235.2
2.235.3
2.235.4
2.235.5
2.236
2.237
2.238
2.239
2.240
2.241
2.242
2.243
2.244
2.245
2.246
2.247
2.248
2.249
2.249.1
2.249.2
2.249.3
2.250
2.251
2.252
2.253
2.254
2.255
2.256
2.257
2.258
2.259
2.260
2.261
2.262
2.263
2.263.1
2.263.2
2.263.3
2.263.4
2.264
2.265
2.266
2.267
2.268
2.269
2.270
2.271
2.272
2.273
2.274
2.275
2.276
2.277
2.277.1
2.277.2
2.277.3
2.277.4
2.278
2.279
2.280
2.281
2.282
2.283
2.284
2.285
2.286
2.287
2.288
2.289
2.289.1
2.289.2
2.289.3
2.290
2.291
2.292
2.293
2.294
2.295
2.296
2.297
2.298
2.299
2.300
2.301
2.302
2.303
2.303.1
2.303.2
2.303.3
2.304
2.305
2.306
2.307
2.308
2.309
2.311
2.312
2.313
2.314
2.315
2.316
2.317
2.318
2.319
2.319.1
2.319.2
2.319.3
2.320
2.321
2.322
2.323
2.324
2.325
2.326
2.327
2.328
2.329
2.330
2.331
2.332
2.332.1
2.332.2
2.332.3
2.332.4
2.333
2.334
2.335
2.336
2.337
2.338
2.339
2.340
2.341
2.342
2.343
2.344
2.345
2.346
2.346.1
2.346.2
2.346.3
2.347
2.348
2.349
2.350
2.354
2.355
2.356
2.357
2.358
2.359
2.360
2.361
2.361.1
2.361.2
2.361.3
2.361.4
2.362
2.363
2.364
2.365
2.366
2.367
2.368
2.369
2.370
2.371
2.372
2.373
2.374
2.375
2.375.1
2.375.2
2.375.3

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.388
Fixed
2.394

Affected versions

2.*

2.388
2.389
2.390
2.391
2.392
2.393