CVE-2023-46654: 
Java vulnerability analysis and mitigation

CVE-2023-46654 affects the Jenkins CloudBees CD Plugin versions 1.1.32 and earlier. The vulnerability was discovered and reported by Andrea Chiera from CloudBees, Inc. and was publicly disclosed on October 25, 2023. This security issue impacts the 'CloudBees CD - Publish Artifact' post-build step functionality in the Jenkins automation server (Jenkins Advisory, NVD).

The vulnerability occurs during the cleanup process of the 'CloudBees CD - Publish Artifact' post-build step. The plugin follows symbolic links to locations outside of the expected directory when cleaning up artifacts that were previously copied from an agent to the controller. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (NVD).

This vulnerability allows attackers with job configuration permissions to delete arbitrary files on the Jenkins controller file system. The high severity rating reflects the potential for significant damage to the system through unauthorized file deletion (Jenkins Advisory).

The vulnerability has been fixed in CloudBees CD Plugin version 1.1.33, which modifies the behavior to delete symbolic links without following them. Users are strongly advised to upgrade to this version to address the security issue (Jenkins Advisory).