CVE-2023-46654: Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion

October 25, 2023 (updated October 30, 2023)

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the ‘CloudBees CD - Publish Artifact’ post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

References

www.openwall.com/lists/oss-security/2023/10/25/2
github.com/advisories/GHSA-jx7x-rf3f-j644
github.com/jenkinsci/electricflow-plugin/commit/e45ca8428ae45f45ca07611e802eaa0f1484ab50
nvd.nist.gov/vuln/detail/CVE-2023-46654
www.jenkins.io/security/advisory/2023-10-25/

Code Behaviors & Features

Detect and mitigate CVE-2023-46654 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →