VYPR
← All advisories
Low severityNVD Advisory· Published Mar 8, 2023· Updated Feb 28, 2025

CVE-2023-27903

CVE-2023-27903

Description

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier creates a temporary file in the default temporary directory with the default permissions for newly created files when uploading a file parameter through the CLI, potentially allowing attackers with access to the Jenkins controller file system to read and write the file before it is used.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins creates a world-readable/writable temp file before processing CLI-uploaded file parameters, enabling local attackers to steal or modify data.

Root

Cause

When a user uploads a file parameter via the Jenkins CLI, the controller writes it to a temporary file using File.createTempFile(). This method creates files in the system default temporary directory with default permissions — which on Unix systems are typically 0666 (readable and writable by all users) [1][4]. The file is left with these permissive attributes until it is consumed by the build or job logic.

Exploitation

An attacker who already has local shell access to the Jenkins controller file system can simply read or write to that temporary file during the race window between its creation and when Jenkins finishes copying the uploaded content. No authentication beyond file-system access is required; the attack is entirely local [2]. The race window is small but can be repeatedly triggered by submitting file-parameter uploads.

Impact

Successful exploitation allows the attacker to exfiltrate sensitive data that was uploaded by a legitimate user, or inject malicious content into the file that will later be processed by a Jenkins job. This can lead to credential theft, arbitrary code execution in the context of the controller, or further lateral movement within the CI/CD environment [1][2].

Mitigation

Jenkins addressed this in versions 2.394, LTS 2.375.4, and LTS 2.387.1 by replacing File.createTempFile() with Files.createTempFile(), which respects more restrictive file-system permissions (e.g., 0600 on many platforms). Users are strongly advised to update to these fixed versions. There is no effective workaround besides upgrading, as the vulnerability stems from fundamental Java API usage [1][4].

References
  1. Jenkins Security Advisory 2023-03-08
  2. NVD - CVE-2023-27903
  3. [SECURITY-3058] · jenkinsci/jenkins@554587b

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.main:jenkins-coreMaven
>= 2.376, < 2.387.12.387.1
org.jenkins-ci.main:jenkins-coreMaven
< 2.375.42.375.4
org.jenkins-ci.main:jenkins-coreMaven
>= 2.388, < 2.3942.394

Affected products

9

Patches

1
554587b06db5

[SECURITY-3058]

https://github.com/jenkinsci/jenkinsKevin-CBFeb 23, 2023via ghsa
commit
1 file changed · +2 1
  • core/src/main/java/hudson/model/FileParameterDefinition.java+2 1 modified
    @@ -31,6 +31,7 @@
 import hudson.cli.CLICommand;
 import java.io.File;
 import java.io.IOException;
+import java.nio.file.Files;
 import java.util.Objects;
 import javax.servlet.ServletException;
 import net.sf.json.JSONObject;
@@ -118,7 +119,7 @@ private String getFileName(String possiblyPathName) {
     @Override
     public ParameterValue createValue(CLICommand command, String value) throws IOException, InterruptedException {
         // capture the file to the server
-        File local = File.createTempFile("jenkins", "parameter");
+        File local = Files.createTempFile("jenkins", "parameter").toFile();
         String name;
         if (value.isEmpty()) {
             FileUtils.copyInputStreamToFile(command.stdin, local);

Vulnerability mechanics

Root cause

"Use of `File.createTempFile` creates a temporary file with default (world-readable/writable) permissions instead of restricted permissions."

Attack vector

An attacker with access to the Jenkins controller file system can exploit a race condition on the temporary file created during CLI file parameter upload. When a user uploads a file parameter via the CLI, Jenkins creates a temporary file in the default system temporary directory using `File.createTempFile` [patch_id=23833], which applies the default file permissions for newly created files (often readable and writable by other users on the system). Before Jenkins processes and moves the uploaded content, a local attacker on the controller can read or modify the temporary file, potentially stealing sensitive data or injecting malicious content.

Affected code

The vulnerability is in `core/src/main/java/hudson/model/FileParameterDefinition.java` in the `createValue(CLICommand, String)` method [patch_id=23833]. The method calls `File.createTempFile("jenkins", "parameter")` which creates a temporary file with default system permissions rather than restricted permissions.

What the fix does

The patch replaces `File.createTempFile("jenkins", "parameter")` with `Files.createTempFile("jenkins", "parameter").toFile()` in `FileParameterDefinition.java` [patch_id=23833]. The key difference is that `Files.createTempFile` (from `java.nio.file.Files`) creates the temporary file with more restrictive permissions (owner-only read/write on POSIX systems), whereas `File.createTempFile` uses the default umask permissions which may allow other users on the system to access the file. This closes the window for a local attacker to read or write the temporary file before Jenkins uses it.

Preconditions

  • authAttacker must have access to the Jenkins controller file system (e.g., as a local user on the same machine).
  • inputA user must upload a file parameter via the Jenkins CLI, triggering temporary file creation.

Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1