Bug 2177626 (CVE-2023-27899)

Summary: CVE-2023-27899 Jenkins: Temporary plugin file created with insecure permissions
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, dfreiber, ellin, jburrell, rogbas, scorneli, shbose, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Jenkins 2.394, LTS 2.375.4, LTS 2.387.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins. Jenkins creates a temporary file when a plugin is uploaded from an administrator’s computer. If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-12 17:38:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2177137    

Description Avinash Hanwate 2023-03-13 08:09:06 UTC 
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier create a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution.

https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2823
Comment 4 errata-xmlrpc 2023-04-12 11:59:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
Comment 5 Product Security DevOps Team 2023-04-12 17:38:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-27899
Comment 6 errata-xmlrpc 2023-06-19 10:13:07 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3663 https://access.redhat.com/errata/RHSA-2023:3663