CVE-2023-46654
Description
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symlinks in artifact cleanup, allowing attackers to delete arbitrary files on the controller.
Vulnerability
Description
The Jenkins CloudBees CD Plugin (versions 1.1.32 and earlier) contains a path traversal vulnerability in its 'CloudBees CD - Publish Artifact' post-build step. During the cleanup process, the plugin follows symbolic links to locations outside the expected working directory. This allows attackers who can configure jobs to delete arbitrary files on the Jenkins controller file system. [1][2][3]
Exploitation
An attacker must have the ability to configure a Jenkins job (e.g., Item/Configure permission) to exploit this vulnerability. By crafting a malicious artifact path that includes symbolic links, the attacker can point the cleanup operation to any file on the Jenkins controller filesystem. The plugin then deletes the targeted file during the post-build cleanup phase.
Impact
Successful exploitation allows an attacker to delete arbitrary files on the Jenkins controller, potentially causing denial of service or disrupting Jenkins operations. Deleting critical system files can lead to data loss or complete unavailability of the Jenkins instance. This vulnerability does not grant code execution on its own, but can be leveraged as part of a broader attack.
Mitigation
The vulnerability has been fixed in CloudBees CD Plugin version 1.1.33, released on October 25, 2023 [2][4]. Users should upgrade to this version immediately. There is no known workaround for the vulnerability in affected versions. The issue was disclosed as part of the Jenkins security advisory on October 25, 2023 [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.33 | 1.1.33 |
Affected products
2- Jenkins Project/Jenkins CloudBees CD Pluginv5Range: 0
Patches
1e45ca8428ae4SECURITY-3237-3238
2 files changed · +11 −34
src/main/java/org/jenkinsci/plugins/electricflow/ElectricFlowClient.java+3 −15 modified@@ -416,7 +416,8 @@ public String uploadArtifact( // http://swarm/reviews/137432/ String phpUrl = this.electricFlowUrl + "/commander/publishArtifact.php"; String cgiUrl = this.electricFlowUrl + "/commander/cgi-bin/publishArtifactAPI.cgi"; - String requestURL = checkIfEndpointReachable("/commander/publishArtifact.php") ? phpUrl : cgiUrl; + boolean isPhpEndpoint = checkIfEndpointReachable("/commander/publishArtifact.php"); + String requestURL = isPhpEndpoint ? phpUrl : cgiUrl; MultipartUtility multipart = new MultipartUtility(requestURL, CHARSET, this.getIgnoreSslConnectionErrors()); @@ -428,20 +429,7 @@ public String uploadArtifact( multipart.addFormField("commanderSessionId", sessionId); for (File file : fileList) { - if (file.isDirectory()) { - - if (!uploadDirectory) { - continue; - } - - List<File> dirFiles = FileHelper.getFilesFromDirectory(file); - - for (File f : dirFiles) { - multipart.addFilePart("files", f, uploadWorkspace); - } - } else { - multipart.addFilePart("files", file, uploadWorkspace); - } + multipart.addFilePart(isPhpEndpoint ? "files[]" : "files", file, uploadWorkspace); } List<String> response = multipart.finish();
src/main/java/org/jenkinsci/plugins/electricflow/FileHelper.java+8 −19 modified@@ -24,6 +24,7 @@ import java.io.PrintStream; import java.io.Writer; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; import java.util.ArrayList; import java.util.List; import java.util.regex.Pattern; @@ -112,24 +113,6 @@ static String[] splitPath(String separator, String path) { return list; } - static List<File> getFilesFromDirectory(final File folder) { - List<File> fileList = new ArrayList<>(); - File[] list = folder.listFiles(); - - if (list == null) { - return fileList; - } - - for (final File fileEntry : list) { - - if (!fileEntry.isDirectory()) { - fileList.add(fileEntry); - } - } - - return fileList; - } - static List<File> getFilesFromDirectoryWildcardDirScanner( String includePattern, boolean fullPath, @@ -148,7 +131,9 @@ public void visit(File file, String s) throws IOException { fileString = s; } File retFile = new File(fileString); - readFileList.add(retFile); + if (retFile.toPath().toRealPath().startsWith(new File(fullPathValue).toPath().toRealPath())) { + readFileList.add(retFile); + } } }); return readFileList; @@ -236,6 +221,10 @@ private static boolean __deleteDirectory(File dir) { File[] files = dir.listFiles(); if (files != null) { for (final File file : files) { + if (Files.isSymbolicLink(file.toPath())) { + boolean symlinkRemoved = file.delete(); + continue; + } __deleteDirectory(file); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jx7x-rf3f-j644ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46654ghsaADVISORY
- www.jenkins.io/security/advisory/2023-10-25/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/10/25/2ghsaWEB
- github.com/jenkinsci/electricflow-plugin/commit/e45ca8428ae45f45ca07611e802eaa0f1484ab50ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-10-25Jenkins Security Advisories · Oct 25, 2023