<p>Upgrade <code>org.jenkins-ci.main:jenkins-core</code> to version 2.414.2, 2.424 or higher.</p>

Incorrect Default Permissions Affecting org.jenkins-ci.main:jenkins-core package, versions [2.50,2.414.2) [2.415,2.424)

Threat Intelligence

0.06% (30^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGJENKINSCIMAIN-5914641
published 22 Sep 2023
disclosed 20 Sep 2023
credit Daniel Beck

Report a new vulnerability Found a mistake?

Introduced: 20 Sep 2023

CVE-2023-43497 Open this link in a new tab CWE-276 Open this link in a new tab

How to fix?

Upgrade org.jenkins-ci.main:jenkins-core to version 2.414.2, 2.424 or higher.

Overview

org.jenkins-ci.main:jenkins-core is an open source automation server.

Affected versions of this package are vulnerable to Incorrect Default Permissions via the MultipartFormDataParser API and the Stapler web framework. An attacker can read and write temporary files before they are used by exploiting the default permissions for newly created files in the system temporary directory.

Note:

This is only exploitable if the operating system uses a shared temporary directory for all users (typically Linux).

Workaround

This vulnerability can be mitigated by changing your default temporary-file directory using the Java system property java.io.tmpdir.

References

CVSS Scores

version 3.1

Attack Vector (AV)

Local
Attack Complexity (AC)

High
Privileges Required (PR)

Low
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

None

Incorrect Default Permissions Affecting org.jenkins-ci.main:jenkins-core package, versions [2.50,2.414.2) [2.415,2.424)

Severity

CVSS assessment made by Snyk's Security Team