Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-npms-7xaw-mye9 |
|---|
| Summary | Jenkins temporary uploaded file created with insecure permissions
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API `MultipartFormDataParser` create temporary files in the system temporary directory with the default permissions for newly created files.
If these permissions are overly permissive, attackers with access to the system temporary directory may be able to read and write the file before it is used.
This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.
Jenkins 2.424, LTS 2.414.2 creates the temporary files in a subdirectory with more restrictive permissions.
As a workaround, you can change your default temporary-file directory using the Java system property `java.io.tmpdir`, if you’re concerned about this issue but unable to immediately update Jenkins. |
|---|
| Aliases |
| 0 |
|
| 1 |
| alias |
GHSA-qv64-w99c-qcr9 |
|
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-43497 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25263 |
| published_at |
2026-04-24T12:55:00Z |
|
| 1 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25305 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25374 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25418 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.2543 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25388 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25335 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25342 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25332 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25302 |
| published_at |
2026-04-21T12:55:00Z |
|
| 10 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25496 |
| published_at |
2026-04-02T12:55:00Z |
|
| 11 |
| value |
0.00089 |
| scoring_system |
epss |
| scoring_elements |
0.25533 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-43497 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
434 |
| name |
Unrestricted Upload of File with Dangerous Type |
| description |
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. |
|
| 1 |
| cwe_id |
378 |
| name |
Creation of Temporary File With Insecure Permissions |
| description |
Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 0.1 - 3.6 |
|---|
| Exploitability | 0.5 |
|---|
| Weighted_severity | 3.2 |
|---|
| Risk_score | 1.6 |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-npms-7xaw-mye9 |
|---|