Homepage
About Snyk

Improper Control of Generation of Code ('Code Injection') Affecting org.jenkins-ci.main:jenkins-core package, versions [,2.414.2) [2.415,2.424)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.12% (48th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGJENKINSCIMAIN-5913349
  • published 21 Sep 2023
  • disclosed 20 Sep 2023
  • credit Daniel Beck
Report a new vulnerability Found a mistake?

Introduced: 20 Sep 2023

CVE-2023-43496 Open this link in a new tab
CWE-94 Open this link in a new tab

How to fix?

Upgrade org.jenkins-ci.main:jenkins-core to version 2.414.2, 2.424 or higher.

Overview

org.jenkins-ci.main:jenkins-core is an open source automation server.

Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') when the temporary file creation process is initiated during plugin installation from a URL. An attacker can replace the file before it is installed, potentially leading to arbitrary code execution.

Note: This is only exploitable if the attacker has access to the system temporary directory.

Workaround

Users unable to upgrade to the fixed version can change the default temporary-file directory using the Java system property java.io.tmpdir .

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.8 high
Expand this section

Red Hat

7 high