CVE-2023-46655: Jenkins CloudBees CD Plugin vulnerable to arbitrary file read

October 25, 2023 (updated October 30, 2023)

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the ‘CloudBees CD - Publish Artifact’ post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.

References

www.openwall.com/lists/oss-security/2023/10/25/2
github.com/advisories/GHSA-9ggw-h9mf-4jh7
github.com/jenkinsci/electricflow-plugin/commit/e45ca8428ae45f45ca07611e802eaa0f1484ab50
nvd.nist.gov/vuln/detail/CVE-2023-46655
www.jenkins.io/security/advisory/2023-10-25/

Code Behaviors & Features

Detect and mitigate CVE-2023-46655 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →