CVE-2023-46655: 
Java vulnerability analysis and mitigation

Jenkins CloudBees CD Plugin version 1.1.32 and earlier contains a security vulnerability (CVE-2023-46655) discovered in October 2023. The vulnerability affects the 'CloudBees CD - Publish Artifact' post-build step functionality, where the plugin follows symbolic links to locations outside of the directory from which artifacts are published (Jenkins Advisory, NVD).

The vulnerability occurs during the artifact publishing process when the CloudBees CD Plugin temporarily copies files from an agent workspace to the controller. The plugin version 1.1.32 and earlier incorrectly follows symbolic links to locations outside of the temporary directory on the controller when collecting the list of files to publish. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

This vulnerability allows attackers with job configuration capabilities to publish arbitrary files from the Jenkins controller file system to the previously configured CloudBees CD server, potentially exposing sensitive information (Jenkins Advisory).

The vulnerability has been fixed in CloudBees CD Plugin version 1.1.33, which ensures that only files located within the expected directory are published. Users are advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).

The vulnerability was discovered and reported by Andrea Chiera from CloudBees, Inc., demonstrating ongoing security research and responsible disclosure in the Jenkins ecosystem (Jenkins Advisory).