vulnerability

Jenkins Advisory 2023-09-20: CVE-2023-43497: CVE-2023-43498: Temporary uploaded file created with insecure permissions

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:S/C:C/I:C/A:N)	Sep 21, 2023	Sep 21, 2023	Mar 27, 2026

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:N)

Published

Sep 21, 2023

Added

Sep 21, 2023

Modified

Mar 27, 2026

Description

In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using the Stapler web framework creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.

Solutions

jenkins-lts-upgrade-2_414_2jenkins-upgrade-2_424

References

CVE-2023-43497
https://attackerkb.com/topics/CVE-2023-43497
CVE-2023-43498
https://attackerkb.com/topics/CVE-2023-43498
CWE-434
EUVD-EUVD-2023-2579
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-2579
https://jenkins.io/security/advisory/2023-09-20/

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report