CVE-2023-46654 — Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion

Description

In Jenkins CloudBees CD Plugin, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step. CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup process. This allows attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system. CloudBees CD Plugin 1.1.33 deletes symbolic links without following them.

How to fix CVE-2023-46654

To remediate CVE-2023-46654, upgrade the affected package to a fixed version below.

—upgrade to 1.1.33 or later

Is CVE-2023-46654 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.33

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.0	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46654
PATCHgithub.com/jenkinsci/electricflow-plugin
WEBgithub.com/jenkinsci/electricflow-plugin/commit/e45ca8428ae45f45ca07611e802eaa0f1484ab50
WEBwww.jenkins.io/security/advisory/2023-10-25/#SECURITY-3237