CVE-2023-41932
Description
Jenkins Job Configuration History Plugin fails to restrict timestamp query parameters, enabling directory deletion on the controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Job Configuration History Plugin fails to restrict timestamp query parameters, enabling directory deletion on the controller.
Root
Cause
The Jenkins Job Configuration History Plugin, in versions 1227.v7a_79fc4dc01f and earlier, does not properly restrict the timestamp query parameter across multiple endpoints. This lack of validation allows an attacker to specify arbitrary directory paths on the Jenkins controller file system [1][3].
Exploitation
To exploit this vulnerability, an attacker must have the Job Config History/DeleteEntry permission [1]. By manipulating the timestamp parameter, the attacker can direct the plugin to attempt deletion of a directory, provided that directory contains a file named history.xml [2][3]. This condition limits the attack to specific directories but can still lead to targeted deletion.
Impact
Successful exploitation enables an attacker to delete attacker-specified directories on the Jenkins controller file system. This could result in data loss or service disruption, depending on the directories affected. The issue has been assigned a CVSS severity of High [1][2].
Mitigation
The vulnerability is fixed in Job Configuration History Plugin version 1229.v3039470161a_d [1][2]. Users are advised to update to this version or later. No workarounds have been provided by the vendor.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:jobConfigHistoryMaven | < 1229.v3039470161a_d | 1229.v3039470161a_d |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-cgh7-rgqg-hrcxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-41932ghsaADVISORY
- www.jenkins.io/security/advisory/2023-09-06/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/09/06/9ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-09-06Jenkins Security Advisories · Sep 6, 2023