Описание
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
A flaw was found in Jenkins weekly and LTS due to an issue when processing file uploads using the MultipartFormDataParser. By sending a specially crafted request, a local authenticated attacker could bypass security restrictions and access the Jenkins controller file system to read and write the files before they are used.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | jenkins | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | jenkins | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
3.6 Low
CVSS3
Связанные уязвимости
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used.
In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file ...
Jenkins temporary uploaded file created with insecure permissions
Уязвимость сервера автоматизации Jenkins, связанная с созданием временных файлов с небезопасными разрешениями, позволяющая нарушителю получить доступ на чтение, изменение или удаление файлов
EPSS
3.6 Low
CVSS3