Описание
Denial of service in Jenkins Core
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework (usually through StaplerRequest#getFile) and MultipartFormDataParser in Jenkins.
This allows attackers to cause a denial of service (DoS) by sending crafted requests to HTTP endpoints processing file uploads.
Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 limits the number of request parts to be processed to 1000. Specific endpoints receiving only simple form submissions have a lower limit.
Пакеты
org.jenkins-ci.main:jenkins-core
>= 2.388, < 2.394
2.394
org.jenkins-ci.main:jenkins-core
< 2.375.4
2.375.4
org.jenkins-ci.main:jenkins-core
>= 2.376, < 2.387.1
2.387.1
Связанные уязвимости
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Com ...