Summary: | <dev-util/jenkins-bin-{2.414.3,2.428}: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | graaff, patrick |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | ~3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 915553 |
Description
John Helmert III
2023-11-23 18:40:12 UTC
CVE-2023-43498 (https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3073): In Jenkins 2.423 and earlier, LTS 2.414.1 and earlier, processing file uploads using MultipartFormDataParser creates temporary files in the default system temporary directory with the default permissions for newly created files, potentially allowing attackers with access to the Jenkins controller file system to read and write the files before they are used. CVE-2023-39151 (https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3188): Jenkins 2.415 and earlier, LTS 2.401.2 and earlier does not sanitize or properly encode URLs in build logs when transforming them into hyperlinks, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control build log contents. (Doesn't seem to be a more appropriate bug to track these issues) |