CVE-2023-32986

Jenkins File Parameter Plugin arbitrary file write vulnerability in maven/io.jenkins.plugins/file-parameters

Identifiers

GHSA-46f2-x6h2-x9hx, CVE-2023-32986

Package Slug

maven/io.jenkins.plugins/file-parameters

Vulnerability

Jenkins File Parameter Plugin arbitrary file write vulnerability

Description

Jenkins File Parameter Plugin 285.v757c5b67ac25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters, allowing attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Affected Versions

All versions before 285.287.v4b

Solution

Upgrade to version 285.287.v4b or above.

Last Modified

2023-05-17

source