CVE-2023-50764
published 2023-12-13CVE-2023-50764: Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with…
PriorityP347high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.84%
53.3th percentile
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | deployment_dashboard_plugin | — | — |
| jenkins | dingding_json_pusher_plugin | — | — |
| jenkins | htmlresource_plugin | — | — |
| jenkins | nexus_platform_plugin | — | — |
| jenkins | openid_connect_authentication_plugin | — | — |
| jenkins | paaslane_estimate_plugin | — | — |
| jenkins | scriptler | <= 342.v6a_89fd40f466 | — |
| jenkins | scriptler_plugin | — | — |
| jenkins | synopsys_rapid_scan_static_is_the_only_plugin | — | — |
| jenkins_project | jenkins_scriptler_plugin | <= 342.v6a_89fd40f466 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary file deletion vulnerability in Jenkins Scriptler Plugin
osv·2023-12-13
CVE-2023-50764 [HIGH] Arbitrary file deletion vulnerability in Jenkins Scriptler Plugin
Arbitrary file deletion vulnerability in Jenkins Scriptler Plugin
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
GHSA
Arbitrary file deletion vulnerability in Jenkins Scriptler Plugin
ghsa·2023-12-13
CVE-2023-50764 [HIGH] Arbitrary file deletion vulnerability in Jenkins Scriptler Plugin
Arbitrary file deletion vulnerability in Jenkins Scriptler Plugin
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
Jenkins
Jenkins Security Advisory 2023-12-13
vendor_jenkins·2023-12-13·CVSS 7.5
CVE-2023-5072 [HIGH] Jenkins Security Advisory 2023-12-13
Title: Jenkins Security Advisory 2023-12-13
Jenkins Security Advisory 2023-12-13
Jenkins Security Home
For Administrators
Overview
Terminology
Vulnerabilities and Scoring
Security Advisories
Security Issues
Advisory Schedule
Vulnerabilities in Plugins
How We Fix Security Issues
For Reporters
Reporting Vulnerabilities
Jenkins CNA
For Maintainers
Overview
Vulnerabilities in Plugins
Jenkins Security Team
About
Contributions
This advisory announces vulnerabilities in the following Jenkins deliverables:
Analysis Model API
Plugin
Deployment Dashboard
Plugin
Dingding JSON Pusher
Plugin
HTMLResource
Plugin
Nexus Platform
Plugin
OpenId Connect Authentication
Plugin
PaaSL
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-12-13
Published