VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-dyka-xcrq-8fds

Essentials
Severities (28)
References (8)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-dyka-xcrq-8fds
Aliases	CVE-2023-43496 GHSA-55wp-3pq4-w8p9
Summary	Jenkins temporary plugin file created with insecure permissions Jenkins creates a temporary file when a plugin is deployed directly from a URL. Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution. This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it. This issue complements SECURITY-2823, which affected plugins uploaded from an administrator’s computer. Jenkins 2.424, LTS 2.414.2 creates the temporary file in a subdirectory with more restrictive permissions. As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-276	Incorrect Default Permissions
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-378	Creation of Temporary File With Insecure Permissions

System	Score	Found at
cvssv3	7.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-43496.json
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
epss	0.0025	https://api.first.org/data/v1/epss?cve=CVE-2023-43496
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-55wp-3pq4-w8p9
cvssv3.1	7.0	https://github.com/jenkinsci/jenkins/commit/df7c4ccda8976c06bf31b8fb9938f26fc38501ca
generic_textual	HIGH	https://github.com/jenkinsci/jenkins/commit/df7c4ccda8976c06bf31b8fb9938f26fc38501ca
cvssv3.1	7.0	https://nvd.nist.gov/vuln/detail/CVE-2023-43496
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2023-43496
cvssv3.1	7.0	https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
cvssv3.1	8.8	https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
generic_textual	HIGH	https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
ssvc	Track	https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
cvssv3.1	7.0	http://www.openwall.com/lists/oss-security/2023/09/20/5
cvssv3.1	8.8	http://www.openwall.com/lists/oss-security/2023/09/20/5
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2023/09/20/5
ssvc	Track	http://www.openwall.com/lists/oss-security/2023/09/20/5

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-43496.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-43496
		https://github.com/jenkinsci/jenkins/commit/df7c4ccda8976c06bf31b8fb9938f26fc38501ca
		https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
		http://www.openwall.com/lists/oss-security/2023/09/20/5
2239939		https://bugzilla.redhat.com/show_bug.cgi?id=2239939
CVE-2023-43496		https://nvd.nist.gov/vuln/detail/CVE-2023-43496
GHSA-55wp-3pq4-w8p9		https://github.com/advisories/GHSA-55wp-3pq4-w8p9

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-43496.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/jenkins/commit/df7c4ccda8976c06bf31b8fb9938f26fc38501ca

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-43496

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:26:57Z/ Found at https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2023/09/20/5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2023/09/20/5

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-23T13:26:57Z/ Found at http://www.openwall.com/lists/oss-security/2023/09/20/5

Exploit Prediction Scoring System (EPSS)

Percentile	0.48265
EPSS Score	0.0025
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:51:50.694984+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.main/jenkins-core/CVE-2023-43496.yml	38.0.0