Jenkins File Parameter Plugin 285.v757c5b_67a_c25 and earlier does not restrict the name (and resulting uploaded file name) of Stashed File Parameters.

This allows attackers with Item/Configure permission to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

File Parameter Plugin 285.287.v4b_7b_29d3469d restricts the name (and resulting uploaded file name) of Stashed File Parameters.

Affected Packages

Maven io.jenkins.plugins:file-parameters

Affected versions: 0 (fixed in 285.287.v4b)

Related CVEs

CVE-2023-32986

Key Information

GHSA ID

GHSA-46f2-x6h2-x9hx

Published

May 16, 2023 6:30 PM

Last Modified

May 17, 2023 3:07 AM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins.plugins:file-parameters

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.