Cyber Resilience

CVE-2023-32985

Medium

Published: 16 May 2023

Published
16 May 2023
Modified
23 January 2025
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0136 80.6th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-32985 is a medium-severity Path Traversal (CWE-22) vulnerability in Jenkins Sidebar Link. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Jenkins Sidebar Link Plugin 2.2.1 and earlier contains a path traversal flaw (CWE-22) in a form validation method that does not restrict file paths supplied by users. This affects the Jenkins controller file system and permits an attacker to probe for the existence of arbitrary paths.

An attacker holding Overall/Read permission can submit crafted input during form validation to determine whether attacker-specified files exist on the controller, resulting in limited information disclosure with no impact on integrity or availability.

The Jenkins security advisory published on 2023-05-16 details the issue under SECURITY-3125 and provides guidance on mitigation through plugin updates.

EPSS for this CVE rose from a low baseline to a peak of 0.1744 on 2025-12-11 before receding to the current value of 0.0136, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file…

more

system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
sidebar link
≤ 2.2.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References