CVE-2023-46654

CWE-59 CWE-22 — Path Traversal5 documents5 sources

Severity

8.1HIGH

EPSS

0.1%

top 69.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Cloudbees CD Plugin Jenkins Cloudbees CD

Timeline

PublishedOct 25

Description

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_cloudbees_cd_plugin1.1.32

▶NVDjenkins/cloudbees_cd1.1.32

▶Mavenorg.jenkins-ci.plugins:electricflow< 1.1.33

🔴Vulnerability Details

OSV

Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion↗2023-10-25

▶

CVEList

CVE-2023-46654: Jenkins CloudBees CD Plugin 1↗2023-10-25

▶

GHSA

Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion↗2023-10-25

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-10-25↗2023-10-25

▶