CVE-2023-27900

Description

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework (usually through StaplerRequest#getFile) and MultipartFormDataParser in Jenkins. This allows attackers to cause a denial of service (DoS) by sending crafted requests to HTTP endpoints processing file uploads. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 limits the number of request parts to be processed to 1000. Specific endpoints receiving only simple form submissions have a lower limit.

How to fix CVE-2023-27900

To remediate CVE-2023-27900, upgrade the affected package to a fixed version below.

• —upgrade to 2.394.0 or later
• —upgrade to 2.394 or later

Is CVE-2023-27900 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 2.394.0
• >= 2.388, < 2.394

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-27900
• WEBgithub.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27900.json
• WEBgithub.com/jenkinsci/jenkins/commit/b70f4cb5892bd6059a45b5f156f019ce572adb08
• WEBwww.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030