Problem

Jenkins core prior to Jenkins 2.423 ships an outdated release of commons-compress that is affected by CVE-2023-42503.

Solution

Upgrade commons-compress from its current release to the latest release (at the time of this writing, 1.24.0)

Success criteria

The success criteria for this ticket are as follows:

• Jenkins released with commons-compress 1.24.0 - Jenkins 2.423 and later (GitHub commit)