CVE-2024-47806

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47806
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47806.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-47806
Aliases
Published
2024-10-02T16:15:10Z
Modified
2025-05-17T14:23:41.919781Z
Summary
[none]
Details

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

References

Affected packages

Git / github.com/jenkinsci/oic-auth-plugin

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/oic-auth-plugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

4.*

4.223.v503b_9a_75a_8a_f
4.224.v62720cfa_026e
4.225.v03326773b_44b_
4.227.v36610663f760
4.228.v0c3e8682ff1f
4.229.vf736b_fec02f4
4.236.v4124503b_a_f88
4.238.v0021f710b_b_f4
4.239.v325750a_96f3b_
4.250.v5a_d993226437
4.257.v5360e8489e8b_
4.269.va_7526f34f306
4.279.vca_c1e2fdd24b_
4.284.v0cc21de03d37
4.290.v6f5e8da_e98b_2
4.297.vcddb_d8a_e4694
4.299.v5ca_eb_6a_f3e6d
4.303.v84089a_708ea_7
4.320.v23537cb_a_b_5c6
4.324.vfd49d010926b_
4.329.v994d3f265d68
4.330.v6fdfc07513e3
4.331.vd925b_f76f3a_c
4.340.ve70636c6590e
4.346.v10401f543622
4.350.v347c3b_8b_9d95
4.354.v321ce67a_1de8

Other

next

oic-auth-1.*

oic-auth-1.0
oic-auth-1.1
oic-auth-1.2
oic-auth-1.3
oic-auth-1.4
oic-auth-1.5
oic-auth-1.6
oic-auth-1.7
oic-auth-1.8

oic-auth-2.*

oic-auth-2.0
oic-auth-2.1
oic-auth-2.2
oic-auth-2.3
oic-auth-2.4
oic-auth-2.5
oic-auth-2.6

oic-auth-3.*

oic-auth-3.0