Creation of Temporary File With Insecure Permissions Affecting org.jenkins-ci.main:jenkins-core package, versions [,2.375.4) [2.376,2.387.1) [2.388,2.394)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIMAIN-3357684
- published 9 Mar 2023
- disclosed 9 Mar 2023
- credit James Nord (CloudBees)
Introduced: 9 Mar 2023
CVE-2023-27899 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.main:jenkins-core to version 2.375.4, 2.387.1, 2.394 or higher.
Overview
org.jenkins-ci.main:jenkins-core is an open source automation server.
Affected versions of this package are vulnerable to Creation of Temporary File With Insecure Permissions when an administrator uploads a file with default permissions, which may be overly permissive. This could allow users to inject files into the Jenkins controller during the installation of a plugin.
Workaround
This vulnerability can be avoided by setting a different path as the default temporary directory, using the java.io.tmpdir system property.