CVE-2023-27901 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.388 <2.394 || >=0 <2.375.4 || >=2.376 <2.387.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00111 pctl0.302

Details

Denial of service in Jenkins Core Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in org.kohsuke.stapler.RequestImpl, allowing attackers to trigger a denial of service.

Metadata

Created: 2023-03-10T21:30:19Z
Modified: 2023-03-17T14:44:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-h76p-mc68-jv3p/GHSA-h76p-mc68-jv3p.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-h76p-mc68-jv3p
Finding: F029
Auto approve: 1