Moderate severityNVD Advisory· Published Oct 25, 2023· Updated Feb 13, 2025
CVE-2023-46655
CVE-2023-46655
Description
Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the directory from which artifacts are published during the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:electricflowMaven | < 1.1.33 | 1.1.33 |
Affected products
2- Range: 0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9ggw-h9mf-4jh7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46655ghsaADVISORY
- www.jenkins.io/security/advisory/2023-10-25/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/10/25/2ghsaWEB
- github.com/jenkinsci/electricflow-plugin/commit/e45ca8428ae45f45ca07611e802eaa0f1484ab50ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-10-25Jenkins Security Advisories · Oct 25, 2023