CVE-2023-46654: Improper Link Resolution Before File Access ('Link Following')

October 25, 2023 (updated November 1, 2023)

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the ‘CloudBees CD - Publish Artifact’ post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

References

www.openwall.com/lists/oss-security/2023/10/25/2
nvd.nist.gov/vuln/detail/CVE-2023-46654
www.jenkins.io/security/advisory/2023-10-25/

Detect and mitigate CVE-2023-46654 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →