GHSA-qv64-w99c-qcr9

Source

https://github.com/advisories/GHSA-qv64-w99c-qcr9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-qv64-w99c-qcr9/GHSA-qv64-w99c-qcr9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qv64-w99c-qcr9

Aliases

Published

2023-09-20T18:30:21Z

Modified

2024-02-16T08:16:40.903218Z

Severity

3.6 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Jenkins temporary uploaded file created with insecure permissions

Details

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files.

If these permissions are overly permissive, attackers with access to the system temporary directory may be able to read and write the file before it is used.

This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it. Jenkins 2.424, LTS 2.414.2 creates the temporary files in a subdirectory with more restrictive permissions.

As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.

Database specific

{
    "nvd_published_at": "2023-09-20T17:15:11Z",
    "cwe_ids": [
        "CWE-434"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T21:38:07Z"
}

References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.50

Fixed

2.414.2

Affected versions

2.*

2.50

2.51

2.52

2.53

2.54

2.55

2.56

2.57

2.58

2.59

2.60

2.60.1

2.60.2

2.60.3

2.61

2.62

2.63

2.64

2.65

2.66

2.67

2.68

2.69

2.70

2.71

2.72

2.73

2.73.1

2.73.2

2.73.3

2.74

2.75

2.76

2.77

2.78

2.79

2.80

2.81

2.82

2.83

2.84

2.85

2.86

2.87

2.88

2.89

2.89.1

2.89.2

2.89.3

2.89.4

2.90

2.91

2.92

2.93

2.94

2.95

2.96

2.97

2.98

2.99

2.100

2.101

2.102

2.103

2.104

2.105

2.106

2.107

2.107.1

2.107.2

2.107.3

2.108

2.109

2.110

2.111

2.112

2.113

2.114

2.115

2.116

2.117

2.118

2.119

2.120

2.121

2.121.1

2.121.2

2.121.3

2.122

2.123

2.124

2.125

2.126

2.127

2.128

2.129

2.130

2.131

2.132

2.133

2.134

2.135

2.136

2.137

2.138

2.138.1

2.138.2

2.138.3

2.138.4

2.140

2.141

2.142

2.143

2.144

2.145

2.146

2.147

2.148

2.149

2.150

2.150.1

2.150.2

2.150.3

2.151

2.152

2.153

2.154

2.155

2.156

2.157

2.158

2.159

2.160

2.161

2.162

2.163

2.164

2.164.1

2.164.2

2.164.3

2.165

2.166

2.167

2.168

2.169

2.170

2.171

2.172

2.173

2.174

2.175

2.176

2.176.1

2.176.2

2.176.3

2.176.4

2.177

2.178

2.179

2.180

2.181

2.182

2.183

2.184

2.185

2.186

2.187

2.189

2.190

2.190.1

2.190.2

2.190.3

2.191

2.192

2.193

2.194

2.195

2.196

2.197

2.198

2.199

2.200

2.201

2.202

2.203

2.204

2.204.1

2.204.2

2.204.3

2.204.4

2.204.5

2.204.6

2.205

2.206

2.207

2.208

2.209

2.210

2.211

2.212

2.213

2.214

2.215

2.216

2.217

2.218

2.219

2.220

2.221

2.222

2.222.1

2.222.3

2.222.4

2.223

2.224

2.225

2.226

2.227

2.228

2.229

2.230

2.231

2.232

2.233

2.234

2.235

2.235.1

2.235.2

2.235.3

2.235.4

2.235.5

2.236

2.237

2.238

2.239

2.240

2.241

2.242

2.243

2.244

2.245

2.246

2.247

2.248

2.249

2.249.1

2.249.2

2.249.3

2.250

2.251

2.252

2.253

2.254

2.255

2.256

2.257

2.258

2.259

2.260

2.261

2.262

2.263

2.263.1

2.263.2

2.263.3

2.263.4

2.264

2.265

2.266

2.267

2.268

2.269

2.270

2.271

2.272

2.273

2.274

2.275

2.276

2.277

2.277.1

2.277.2

2.277.3

2.277.4

2.278

2.279

2.280

2.281

2.282

2.283

2.284

2.285

2.286

2.287

2.288

2.289

2.289.1

2.289.2

2.289.3

2.290

2.291

2.292

2.293

2.294

2.295

2.296

2.297

2.298

2.299

2.300

2.301

2.302

2.303

2.303.1

2.303.2

2.303.3

2.304

2.305

2.306

2.307

2.308

2.309

2.311

2.312

2.313

2.314

2.315

2.316

2.317

2.318

2.319

2.319.1

2.319.2

2.319.3

2.320

2.321

2.322

2.323

2.324

2.325

2.326

2.327

2.328

2.329

2.330

2.331

2.332

2.332.1

2.332.2

2.332.3

2.332.4

2.333

2.334

2.335

2.336

2.337

2.338

2.339

2.340

2.341

2.342

2.343

2.344

2.345

2.346

2.346.1

2.346.2

2.346.3

2.347

2.348

2.349

2.350

2.354

2.355

2.356

2.357

2.358

2.359

2.360

2.361

2.361.1

2.361.2

2.361.3

2.361.4

2.362

2.363

2.364

2.365

2.366

2.367

2.368

2.369

2.370

2.371

2.372

2.373

2.374

2.375

2.375.1

2.375.2

2.375.3

2.375.4

2.376

2.377

2.378

2.379

2.380

2.381

2.382

2.383

2.384

2.385

2.386

2.387

2.387.1

2.387.2

2.387.3

2.388

2.389

2.390

2.391

2.392

2.393

2.394

2.395

2.396

2.397

2.398

2.399

2.400

2.401

2.401.1

2.401.2

2.401.3

2.402

2.403

2.404

2.405

2.406

2.407

2.409

2.410

2.411

2.412

2.413

2.414

2.414.1

Maven / org.jenkins-ci.main:jenkins-core

Package

Name: org.jenkins-ci.main:jenkins-core; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.415

Fixed

2.424

Affected versions

2.*

2.415

2.416

2.417

2.418

2.419

2.420

2.421

2.422

2.423