CVE-2023-43496
📋 TL;DR
This vulnerability in Jenkins allows attackers with access to the system temporary directory to replace plugin files during installation from a URL, potentially leading to arbitrary code execution. It affects Jenkins 2.423 and earlier, including LTS 2.414.1 and earlier. Attackers need local filesystem access to exploit this issue.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with Jenkins service privileges, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Local privilege escalation leading to Jenkins administrator access, plugin manipulation, or credential theft from Jenkins configuration.
If Mitigated
Limited impact due to proper filesystem permissions and isolation controls preventing unauthorized temporary directory access.
🎯 Exploit Status
Requires local filesystem access and timing to replace temporary file during plugin installation. No public exploit code available as of advisory date.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.424, LTS 2.414.2
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3072
Restart Required: Yes
Instructions:
1. Backup Jenkins configuration and data. 2. Download patched version from jenkins.io. 3. Stop Jenkins service. 4. Install new version following platform-specific instructions. 5. Start Jenkins service. 6. Verify version and functionality.
🔧 Temporary Workarounds
Restrict temporary directory permissions
linuxSet strict permissions on system temporary directory to prevent unauthorized access
chmod 700 /tmp
chown jenkins:jenkins /tmp/jenkins_temp
Disable plugin installation from URL
allRemove ability to install plugins from URLs in Jenkins configuration
🧯 If You Can't Patch
- Implement strict filesystem permissions on temporary directories
- Monitor for suspicious plugin installation activities and file modifications in temp directories
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or via CLI: java -jar jenkins.war --versionCheck Version:
java -jar jenkins.war --versionVerify Fix Applied:
Verify version is 2.424 or later, or LTS 2.414.2 or later. Check that plugin installation from URL works without creating world-writable temporary files.📡 Detection & Monitoring
Log Indicators:
- Multiple plugin installation attempts from unusual URLs
- File permission changes in temporary directories
- Failed plugin installations with permission errors
Network Indicators:
- Unusual outbound connections after plugin installation
- Downloads from unexpected plugin repositories
SIEM Query:
source="jenkins.log" AND ("plugin install" OR "temporary file") AND (error OR warning)