Search for packages
| purl | pkg:maven/org.jenkins-ci.main/jenkins-core@2.50 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4cy9-1z3y-ekba
Aliases: CVE-2023-43498 GHSA-hq87-h4jg-vxfw |
Jenkins temporary uploaded file created with insecure permissions In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API `MultipartFormDataParser` create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly permissive, attackers with access to the system temporary directory may be able to read and write the file before it is used. This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it. Jenkins 2.424, LTS 2.414.2 creates the temporary files in a subdirectory with more restrictive permissions. As a workaround, you can change your default temporary-file directory using the Java system property `java.io.tmpdir`, if you’re concerned about this issue but unable to immediately update Jenkins. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-dyka-xcrq-8fds
Aliases: CVE-2023-43496 GHSA-55wp-3pq4-w8p9 |
Jenkins temporary plugin file created with insecure permissions Jenkins creates a temporary file when a plugin is deployed directly from a URL. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution. This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it. This issue complements SECURITY-2823, which affected plugins uploaded from an administrator’s computer. Jenkins 2.424, LTS 2.414.2 creates the temporary file in a subdirectory with more restrictive permissions. As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-npms-7xaw-mye9
Aliases: CVE-2023-43497 GHSA-qv64-w99c-qcr9 |
Jenkins temporary uploaded file created with insecure permissions In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API `MultipartFormDataParser` create temporary files in the system temporary directory with the default permissions for newly created files. If these permissions are overly permissive, attackers with access to the system temporary directory may be able to read and write the file before it is used. This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it. Jenkins 2.424, LTS 2.414.2 creates the temporary files in a subdirectory with more restrictive permissions. As a workaround, you can change your default temporary-file directory using the Java system property `java.io.tmpdir`, if you’re concerned about this issue but unable to immediately update Jenkins. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-s1wm-h4xx-tfh9
Aliases: CVE-2023-43495 GHSA-5j46-5hwq-gwh7 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Jenkins 2.423 and earlier, LTS 2.414.1 and earlier does not escape the value of the 'caption' constructor parameter of 'ExpandableDetailsNote', resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control this parameter. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-syz5-rzv5-ukhb
Aliases: CVE-2017-1000356 GHSA-85wq-pqhp-hmq6 |
Cross-Site Request Forgery (CSRF) Jenkins is vulnerable to an issue in the Jenkins user database authentication realm. |
Affected by 0 other vulnerabilities. |
|
VCID-vv6x-yj68-cqas
Aliases: CVE-2023-43494 GHSA-279f-qwgh-h5mp |
Jenkins does not exclude sensitive build variables from search Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-yq9y-tdnu-2uc3
Aliases: CVE-2017-1000355 GHSA-4466-8jm4-448p |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to an XStream: Java crash when trying to instantiate void/Void. |
Affected by 0 other vulnerabilities. |
|
VCID-ytyb-zk5y-6ub2
Aliases: CVE-2017-1000354 GHSA-r57f-7xw3-q2r9 |
Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier are vulnerable to a login command which allowed impersonating any Jenkins user. The `login` command available in the remoting-based CLI stored the encrypted user name of the successfully authenticated user in a cache file used to authenticate further commands. Users with sufficient permission to create secrets in Jenkins, and download their encrypted values (e.g. with Job/Configure permission), were able to impersonate any other Jenkins user on the same instance. |
Affected by 0 other vulnerabilities. |
|
VCID-z5ns-74uq-4uef
Aliases: CVE-2017-1000353 GHSA-26wc-3wqp-g3rp |
Deserialization of Untrusted Data in Jenkins An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized using a new `ObjectInputStream`, bypassing the existing denylist-based protection mechanism. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||