CVE-2023-50764: 
Java vulnerability analysis and mitigation

Jenkins Scriptler Plugin version 342.v6a_89fd40f466 and earlier contains a high-severity security vulnerability identified as CVE-2023-50764. The vulnerability was discovered by Andrea Chiera from CloudBees, Inc. and was publicly disclosed on December 13, 2023. This security flaw affects the Jenkins Scriptler Plugin, which is a component of the Jenkins automation server (Jenkins Advisory, OSS Security).

The vulnerability stems from an unrestricted file name query parameter in an HTTP endpoint of the Scriptler Plugin. The issue has been assigned a CVSS v3.1 base score of 8.1 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating a network-exploitable vulnerability with low attack complexity and requiring low privileges (NVD).

When exploited, this vulnerability allows attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system. This capability could lead to significant system disruption and potential data loss (Jenkins Advisory).

The vulnerability has been fixed in Scriptler Plugin version 344.v5a_ddb_5f9e685. The updated version ensures that the file being deleted is located in the expected directory, preventing arbitrary file deletion. Users are strongly advised to upgrade to this version to mitigate the security risk (Jenkins Advisory).