Incorrect default permissions in Jenkins and Jenkins LTS - CVE-2023-27903
Published: March 9, 2023
Vulnerability identifier: #VU73196
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-27903
CWE-ID: CWE-276
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Jenkins
Jenkins LTS
Jenkins
Jenkins LTS
Detailed vulnerability description
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the affected plugin creates the temporary file in the default temporary directory with the default permissions for newly created files. A local user can read and write the file before it is used in the build.
How to mitigate CVE-2023-27903
Install updates from vendor's website.