CVE-2023-27901 — Denial of service in Jenkins Core

Description

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.

How to fix CVE-2023-27901

To remediate CVE-2023-27901, upgrade the affected package to a fixed version below.

—upgrade to 2.394.0 or later
—upgrade to 2.394 or later

Is CVE-2023-27901 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.394.0
>= 2.388, < 2.394

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-27901
WEBgithub.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27901.json
WEBgithub.com/jenkinsci/jenkins/commit/b70f4cb5892bd6059a45b5f156f019ce572adb08
WEBwww.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030