cbcvebase.
CVE-2023-32986
published 2023-05-16

CVE-2023-32986: Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
63.14%
99.1th percentile
Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Affected

24 ranges
VendorProductVersion rangeFixed in
jenkinsansible_plugin
jenkinsappspider_plugin
jenkinsazure_vm_agents_plugin
jenkinscas_plugin
jenkinscode_dx_plugin
jenkinscredentials_plugin
jenkinsemail_extension_plugin
jenkinsfile_parameter_plugin
jenkinsfile_parameters<= 285.287.v4b_7b_29d3469d
jenkinshashicorp_vault_plugin
jenkinsids_in_azure_vm_agents_plugin
jenkinsimproper_masking_of_credentials_in_hashicorp_vault_plugin
jenkinsjob_plugin
jenkinsldap_plugin
jenkinsloadcomplete_support_plugin
jenkinsns-nd_integration_performance_publisher_plugin
jenkinspipeline_utility_steps_plugin
jenkinsreverse_proxy_auth_plugin
jenkinssidebar_link_plugin
jenkinstag_profiler_plugin
jenkinstestcomplete_support_plugin
jenkinstestng_report_files_and_displayed_on_the_plugin
jenkinstestng_results_plugin
jenkins_projectjenkins_file_parameter_plugin<= 285.v757c5b_67a_c25
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.