Bug 2239939 (CVE-2023-43496) - CVE-2023-43496 jenkins: Temporary plugin file created with insecure permissions
Summary: CVE-2023-43496 jenkins: Temporary plugin file created with insecure permissions
Keywords:
Status: NEW
Alias: CVE-2023-43496
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2240098
TreeView+ depends on / blocked
 
Reported: 2023-09-20 21:13 UTC by Pedro Sampaio
Modified: 2024-05-02 18:49 UTC (History)
7 users (show)

Fixed In Version: jenkins 2.424, jenkins LTS 2.414.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins weekly and LTS due to an issue creating a temporary file in the system's temporary directory with default permissions. By sending a specially crafted request, a local authenticated attacker could execute arbitrary code on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-09-20 21:13:37 UTC
Jenkins creates a temporary file when a plugin is deployed directly from a URL.

Jenkins 2.423 and earlier, LTS 2.414.1 and earlier creates this temporary file in the system temporary directory with the default permissions for newly created files.

If these permissions are overly permissive, they may allow attackers with access to the Jenkins controller file system to read and write the file before it is installed in Jenkins, potentially resulting in arbitrary code execution.
	
This vulnerability only affects operating systems using a shared temporary directory for all users (typically Linux). Additionally, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it.
	
This issue complements SECURITY-2823, which affected plugins uploaded from an administrator’s computer.

Jenkins 2.424, LTS 2.414.2 creates the temporary file in a subdirectory with more restrictive permissions.

As a workaround, you can change your default temporary-file directory using the Java system property java.io.tmpdir, if you’re concerned about this issue but unable to immediately update Jenkins.

References:

https://www.jenkins.io/security/advisory/2023-09-20/


Note You need to log in before you can comment on or make changes to this bug.