CVE-2024-47806

CWE-287Improper Authentication5 documents5 sources
Severity
8.1HIGH
EPSS
0.2%
top 52.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Openid Connect AuthenticationJenkins Project Jenkins Openid Connect Authentication Plugin
Timeline
PublishedOct 2

Description

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages3 packages

NVDjenkins/openid_connect_authentication< 4.355.v3a_fb_fca_b_96d4

🔴Vulnerability Details

3
CVEList
CVE-2024-47806: Jenkins OpenId Connect Authentication Plugin 42024-10-02
OSV
Jenkins OpenId Connect Authentication Plugin lacks audience claim validation2024-10-02
GHSA
Jenkins OpenId Connect Authentication Plugin lacks audience claim validation2024-10-02

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2024-10-022024-10-02
CVE-2024-47806 (HIGH CVSS 8.1) | Jenkins OpenId Connect Authenticati | cvebase.io