vulnerability

Jenkins Advisory 2023-09-20: CVE-2023-43497: CVE-2023-43498: Temporary uploaded file created with insecure permissions

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:N)	Sep 21, 2023	Sep 21, 2023	Mar 27, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:N)

Published

Sep 21, 2023

Added

Sep 21, 2023

Modified

Mar 27, 2026

Description

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Solutions

jenkins-lts-upgrade-2_414_2jenkins-upgrade-2_424

References

CVE-2023-43497
https://attackerkb.com/topics/CVE-2023-43497
CVE-2023-43498
https://attackerkb.com/topics/CVE-2023-43498
CWE-434
EUVD-EUVD-2023-2579
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-2579
https://jenkins.io/security/advisory/2023-09-20/

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today