An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mcmdyLWM1ZjItOHFoaM4AAyCc

Denial of service in Jenkins Core

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework (usually through StaplerRequest#getFile) and MultipartFormDataParser in Jenkins.

This allows attackers to cause a denial of service (DoS) by sending crafted requests to HTTP endpoints processing file uploads.

Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 limits the number of request parts to be processed to 1000. Specific endpoints receiving only simple form submissions have a lower limit.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 4 months ago

CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-frgr-c5f2-8qhh, CVE-2023-27900
References: Repository:
Blast Radius: 1.0

Affected Packages

Affected Version Ranges: >= 2.376, < 2.387.1, >= 2.388, < 2.394, < 2.375.4
Fixed in: 2.387.1, 2.394, 2.375.4