[JENKINS:SECURITY-3237] Arbitrary file deletion vulnerability in `electricflow`
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
In electricflow
, artifacts that were previously copied from an agent to the controller are deleted after publishing by the 'CloudBees CD - Publish Artifact' post-build step.
electricflow
1.1.32 and earlier follows symbolic links to locations outside of the expected directory during this cleanup process.
This allows attackers able to configure jobs to delete arbitrary files on the Jenkins controller file system.
electricflow
1.1.33 deletes symbolic links without following them.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/electricflow | <= 1.1.32 |
pkg:github/jenkinsci/electricflow-plugin | <= 1.1.32 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/electricflow | = 1.1.33 |
pkg:github/jenkinsci/electricflow-plugin | = 1.1.33 |
- ID
- JENKINS:SECURITY-3237
- Severity
- high
- Published
-
2023-10-25T00:00:00
(11 months ago) - Modified
-
2023-10-25T00:00:00
(11 months ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | electricflow repository | https://github.com/jenkinsci/electricflow-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/electricflow | org.jenkins-ci.plugins | electricflow | <= 1.1.32 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/electricflow | org.jenkins-ci.plugins | electricflow | = 1.1.33 | |||
Affected | pkg:github/jenkinsci/electricflow-plugin | jenkinsci | electricflow-plugin | <= 1.1.32 | |||
Fixed | pkg:github/jenkinsci/electricflow-plugin | jenkinsci | electricflow-plugin | = 1.1.33 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |