CVE-2023-43497: 
Java vulnerability analysis and mitigation

CVE-2023-43497 is a security vulnerability discovered in Jenkins versions 2.423 and earlier, and LTS 2.414.1 and earlier, related to file upload processing through the Stapler web framework. The vulnerability was disclosed on September 20, 2023, and affects the Jenkins automation server's file handling mechanism (Jenkins Advisory, NVD).

The vulnerability occurs when processing file uploads via the Stapler web framework, where temporary files are created in the system's default temporary directory with default file permissions. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH), indicating significant potential impact (NVD). This issue primarily affects operating systems using a shared temporary directory for all users, typically Linux systems (Jenkins Advisory).

If the default file permissions are overly permissive, attackers with access to the system temporary directory may be able to read and write the temporary files before they are used by Jenkins. However, the default permissions for newly created files generally only allow attackers to read the temporary file, but not write to it (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.424 and LTS 2.414.2, where temporary files are now created in a subdirectory with more restrictive permissions. As a workaround for users unable to immediately update Jenkins, the default temporary-file directory can be changed using the Java system property java.io.tmpdir (Jenkins Advisory).