CVE-2023-27903: 
Java vulnerability analysis and mitigation

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier contains a security vulnerability (CVE-2023-27903) related to insecure file permissions when handling file parameters through the Jenkins CLI. The vulnerability was discovered by Kevin Guerroudj from CloudBees, Inc. and was publicly disclosed on March 8, 2023 (Jenkins Advisory).

When triggering a build from the Jenkins CLI, if a file parameter is provided through the CLI's standard input, Jenkins creates a temporary file on the controller. In affected versions, this temporary file is created in the default temporary directory with default permissions for newly created files. The vulnerability has been assigned a CVSS v3.1 base score of 4.4 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

If the default file permissions are overly permissive, attackers with access to the Jenkins controller file system can read and write the temporary file before it is used in the build. This vulnerability primarily affects operating systems using a shared temporary directory for all users, typically Linux systems. However, the default permissions for newly created files generally only allow attackers to read the temporary file (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1, which create temporary files with more restrictive permissions. As a workaround for users unable to immediately update Jenkins, administrators can set a different path as the default temporary directory using the Java system property java.io.tmpdir (Jenkins Advisory).