CVE-2023-27900 – This vulnerability in Jenkins allows attackers ... (How to Fix)

Q: What is the severity of CVE-2023-27900?

CVE-2023-27900 has a CVSS score of 7.5 (HIGH). This vulnerability in Jenkins allows attackers to cause denial of service by exploiting improper request handling in the Apache Commons FileUpload library. Attackers can send specially crafted multipart requests to exhaust server resources. All Jenkins instances running affected versions are vulnerable.

📋 TL;DR

This vulnerability in Jenkins allows attackers to cause denial of service by exploiting improper request handling in the Apache Commons FileUpload library. Attackers can send specially crafted multipart requests to exhaust server resources. All Jenkins instances running affected versions are vulnerable.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.393 and earlier, LTS 2.375.3 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, potentially requiring server restart and causing extended downtime.

🟠

Likely Case

Temporary service degradation or unavailability until malicious requests stop or server is restarted.

🟢

If Mitigated

Minimal impact with proper request filtering and resource monitoring in place.

🌐 Internet-Facing: HIGH - Internet-facing Jenkins instances are directly exposed to attack.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable to internal threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP requests but does not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.394, LTS 2.375.4

Vendor Advisory: https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030

Restart Required: Yes

Instructions:

1. Backup Jenkins configuration and data. 2. Upgrade to Jenkins 2.394 or LTS 2.375.4. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Request Filtering

all

Implement web application firewall or reverse proxy rules to limit multipart request size and part count.

Resource Limits

all

Configure system resource limits and monitoring to detect and mitigate resource exhaustion attacks.

🧯 If You Can't Patch

Implement strict network segmentation to limit access to Jenkins instances
Deploy web application firewall with request size and rate limiting rules

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.394 or higher (or LTS 2.375.4 or higher) and test multipart upload functionality.

📡 Detection & Monitoring

Log Indicators:

Unusually large number of multipart requests
OutOfMemory errors in Jenkins logs
High CPU/memory usage spikes

Network Indicators:

Large volume of POST requests to Jenkins endpoints
Abnormal request patterns with many multipart parts

SIEM Query:

source="jenkins.log" AND ("OutOfMemory" OR "java.lang.OutOfMemoryError")

📊 Metadata

CVE ID: CVE-2023-27900

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: March 10, 2023

Last Updated: February 28, 2025

🔗 References

https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030 Vendor Advisory
https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27900, you might also want to check these: