Bug 2240096 (CVE-2023-43498)

Summary: CVE-2023-43498 jenkins: API MultipartFormDataParser temporary uploaded file created with insecure permissions
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: asatyam, dfreiber, diagrawa, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.424, jenkins LTS 2.414.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins weekly and LTS due to an issue when processing file uploads using the MultipartFormDataParser. By sending a specially crafted request, a local authenticated attacker could bypass security restrictions and access the Jenkins controller file system to read and write the files before they are used.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2240098    

Description Pedro Sampaio 2023-09-21 18:59:31 UTC 
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, uploaded files processed via the Stapler web framework and the Jenkins API MultipartFormDataParser create temporary files in the system temporary directory with the default permissions for newly created files.

If these permissions are overly permissive, attackers with access to the system temporary directory may be able to read and write the file before it is used.
	
This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.

Jenkins 2.424, LTS 2.414.2 creates the temporary files in a subdirectory with more restrictive permissions.

As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.

References:

https://www.jenkins.io/security/advisory/2023-09-20/