Base Score

HIGH7.5

CVE-2023-27900

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier uses the Apache Commons FileUpload library without specifying limits for the number of request parts introduced in version 1.5 for CVE-2023-24998 in hudson.util.MultipartFormDataParser, allowing attackers to trigger a denial of service.

VectorNETWORK

Published Byjenkinsci-cert@googlegroups.com

Published DateMar 10, 2023, 21:15

Affected Versions(3)

org.jenkins-ci.main:jenkins-core(Maven)

Introduced2.388

Fixed2.394

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced0

Fixed2.375.4

LimitN/A

org.jenkins-ci.main:jenkins-core(Maven)

Introduced2.376

Fixed2.387.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.main:jenkins-core(Maven)	2.388	2.394	N/A
org.jenkins-ci.main:jenkins-core(Maven)	0	2.375.4	N/A
org.jenkins-ci.main:jenkins-core(Maven)	2.376	2.387.1	N/A

Weakness Type (CWE):CWE-770

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH

References

https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-3030

Base Score

HIGH7.5

Weakness Type (CWE):CWE-770

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

HIGH