High severityNVD Advisory· Published Oct 25, 2023· Updated Feb 13, 2025
CVE-2023-46654
CVE-2023-46654
Description
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.33 | 1.1.33 |
Affected products
2- Range: 0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-jx7x-rf3f-j644ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46654ghsaADVISORY
- www.jenkins.io/security/advisory/2023-10-25/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/10/25/2ghsaWEB
- github.com/jenkinsci/electricflow-plugin/commit/e45ca8428ae45f45ca07611e802eaa0f1484ab50ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-10-25Jenkins Security Advisories · Oct 25, 2023