Arbitrary File Deletion Vulnerability in Jenkins CloudBees CD Plugin

Arbitrary File Deletion Vulnerability in Jenkins CloudBees CD Plugin

CVE-2023-46654 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Jenkins CloudBees CD Plugin 1.1.32 and earlier follows symbolic links to locations outside of the expected directory during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step, allowing attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.

Learn more about our Cloud Audit.