CVE-2024-47807

Summary

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

Affected Software

VendorProductVersion RangeStatus
Jenkins ProjectJenkins OpenId Connect Authentication Plugin0 <= 4.354.v321ce67a_1de8affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References