Lucene search

[email protected]NVD:CVE-2023-46655

HistoryOct 25, 2023 - 6:17 p.m.

CVE-2023-46655

2023-10-2518:17:40

CWE-59

[email protected]

web.nvd.nist.gov

cve-2023-46655

jenkins

cloudbees cd plugin

symbolic links

artifacts

post-build step

attackers

jenkins controller file system

cloudbees cd server

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the ‘CloudBees CD - Publish Artifact’ post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.

Affected configurations

Nvd

Node

jenkinscloudbees_cdRange≤1.1.32jenkins

VendorProductVersionCPE
jenkinscloudbees_cd*cpe:2.3:a:jenkins:cloudbees_cd:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	cloudbees_cd	*	cpe:2.3:a:jenkins:cloudbees_cd::::::jenkins::*

References

www.openwall.com/lists/oss-security/2023/10/25/2

www.jenkins.io/security/advisory/2023-10-25/#SECURITY-3238

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

21.4%

JSON

Related for NVD:CVE-2023-46655

vulnrichment1 osv2 cve1 cvelist1 github1 prion1 nessus1