发布于3月6日3月6日 Members Jenkins Advisory 2023-03-08: CVE-2023-27899: Temporary plugin file created with insecure permissions Severity 7 CVSS (AV:L/AC:M/Au:S/C:C/I:C/A:C) Published 03/09/2023 Created 03/10/2023 Added 03/09/2023 Modified 01/28/2025 Description Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a plugin for installation, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used, potentially resulting in arbitrary code execution. Solution(s) jenkins-lts-upgrade-2_375_4 jenkins-upgrade-2_394 References https://attackerkb.com/topics/cve-2023-27899 CVE - 2023-27899 https://jenkins.io/security/advisory/2023-03-08/
