Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mcmdyLWM1ZjItOHFoaM4AAyCc
Denial of service in Jenkins Core
Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 is affected by the Apache Commons FileUpload library’s vulnerability CVE-2023-24998. This library is used to process uploaded files via the Stapler web framework (usually through StaplerRequest#getFile) and MultipartFormDataParser in Jenkins.
This allows attackers to cause a denial of service (DoS) by sending crafted requests to HTTP endpoints processing file uploads.
Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 limits the number of request parts to be processed to 1000. Specific endpoints receiving only simple form submissions have a lower limit.
Permalink: https://github.com/advisories/GHSA-frgr-c5f2-8qhhJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mcmdyLWM1ZjItOHFoaM4AAyCc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 9 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-frgr-c5f2-8qhh, CVE-2023-27900
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-27900
- https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030
- https://github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27900.json
- https://github.com/jenkinsci/jenkins/commit/b70f4cb5892bd6059a45b5f156f019ce572adb08
- https://github.com/advisories/GHSA-frgr-c5f2-8qhh
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.main:jenkins-core
Affected Version Ranges: >= 2.376, < 2.387.1, >= 2.388, < 2.394, < 2.375.4Fixed in: 2.387.1, 2.394, 2.375.4