GHSA-jx7x-rf3f-j644

Suggest an improvement
Source
https://github.com/advisories/GHSA-jx7x-rf3f-j644
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-jx7x-rf3f-j644/GHSA-jx7x-rf3f-j644.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jx7x-rf3f-j644
Aliases
Published
2023-10-25T18:32:25Z
Modified
2024-02-16T08:13:46.700562Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion
Details

In Jenkins CloudBees CD Plugin, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step.

CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup process.

This allows attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

CloudBees CD Plugin 1.1.33 deletes symbolic links without following them.

Database specific
{
    "nvd_published_at": "2023-10-25T18:17:40Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-59"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-30T14:57:14Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:electricflow

Package

Name
org.jenkins-ci.plugins:electricflow
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/electricflow

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.33

Affected versions

1.*

1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.1.12
1.1.13
1.1.14
1.1.15
1.1.16
1.1.17
1.1.18
1.1.18.1
1.1.18.2
1.1.19
1.1.20
1.1.21
1.1.22
1.1.22.1
1.1.23
1.1.24
1.1.25
1.1.26
1.1.27
1.1.28
1.1.29
1.1.30
1.1.31
1.1.32