CVE-2024-47806
- Source
- https://cve.org/CVERecord?id=CVE-2024-47806
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47806.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-47806
- Aliases
- Published
- 2024-10-02T16:15:10.807Z
- Modified
- 2026-03-12T11:11:03.651912Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the
aud(Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. - References
Affected packages
Git / github.com/jenkinsci/oic-auth-plugin
Affected versions
4.*
4.223.v503b_9a_75a_8a_f
4.224.v62720cfa_026e
4.225.v03326773b_44b_
4.227.v36610663f760
4.228.v0c3e8682ff1f
4.229.vf736b_fec02f4
4.236.v4124503b_a_f88
4.238.v0021f710b_b_f4
4.239.v325750a_96f3b_
4.250.v5a_d993226437
4.257.v5360e8489e8b_
4.269.va_7526f34f306
4.279.vca_c1e2fdd24b_
4.284.v0cc21de03d37
4.290.v6f5e8da_e98b_2
4.297.vcddb_d8a_e4694
4.299.v5ca_eb_6a_f3e6d
4.303.v84089a_708ea_7
4.320.v23537cb_a_b_5c6
4.324.vfd49d010926b_
4.329.v994d3f265d68
4.330.v6fdfc07513e3
4.331.vd925b_f76f3a_c
4.340.ve70636c6590e
4.346.v10401f543622
4.350.v347c3b_8b_9d95
4.354.v321ce67a_1de8
Other
next
oic-auth-1.*
oic-auth-1.0
oic-auth-1.1
oic-auth-1.2
oic-auth-1.3
oic-auth-1.4
oic-auth-1.5
oic-auth-1.6
oic-auth-1.7
oic-auth-1.8
oic-auth-2.*
oic-auth-2.0
oic-auth-2.1
oic-auth-2.2
oic-auth-2.3
oic-auth-2.4
oic-auth-2.5
oic-auth-2.6
oic-auth-3.*
oic-auth-3.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47806.json"
vanir_signatures
[
{
"id": "CVE-2024-47806-2ad7d07a",
"signature_type": "Line",
"digest": {
"line_hashes": [
"256061485659523066401596643294046984630",
"257765814964660403838855411271271325177"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicServerConfiguration.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-301cbb16",
"signature_type": "Function",
"digest": {
"function_hash": "297498098011953112482366324272113104330",
"length": 809.0
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/WellKnownOpenIDConfigurationResponse.java",
"function": "equals"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-35ea554b",
"signature_type": "Function",
"digest": {
"function_hash": "105711094136723771885761544430544272451",
"length": 1661.0
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.java",
"function": "loadWellKnownConfigIfNeeded"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-9460a366",
"signature_type": "Line",
"digest": {
"line_hashes": [
"67570701970673608222212844732681600451",
"30612755203717281182159335229943959434",
"114019359486688298880153102542411198389",
"256774372589463568930272565918548697022",
"258424108051625856895541237240023441891",
"129403820850832066605691314560905879004",
"52110133900857583825608322889202922637",
"165752251003513091999206391306430097875",
"323234670084021938229962994968830984749",
"321111043166444278663051489956238951823",
"188487400518828833647667787539964226223"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-9806d01c",
"signature_type": "Function",
"digest": {
"function_hash": "157054352151428089053289239904853867913",
"length": 309.0
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java",
"function": "getJwksVerifier"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-af875a30",
"signature_type": "Line",
"digest": {
"line_hashes": [
"279698833750425947525703948078816992325",
"147284918173078535919043697079553043792",
"87602677173282422063083264925096666912",
"46920224649904095199730423177845040592"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/WellKnownOpenIDConfigurationResponseTest.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-b0e95e23",
"signature_type": "Line",
"digest": {
"line_hashes": [
"236303537022941432981206460697615198502",
"125685445912520819358114642204510569008",
"330504828146206084045210557581460035864",
"204756633887330422922250312643824196",
"25293201397160549320815512994875071867",
"325893275459471017740147229425900338919",
"301624969112684589726612293273225264003",
"50247501791641186898586728932156551865",
"328647082816628523511796785449251278014"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-b882f343",
"signature_type": "Function",
"digest": {
"function_hash": "29952804587327918496339983918505878907",
"length": 197.0
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/WellKnownOpenIDConfigurationResponse.java",
"function": "hashCode"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-c0fa9cc0",
"signature_type": "Function",
"digest": {
"function_hash": "273304665140457197766800190702400505760",
"length": 527.0
},
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/TestRealm.java",
"function": "buildServerConfiguration"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-c949f790",
"signature_type": "Line",
"digest": {
"line_hashes": [
"201050064178905129074476714339681648955",
"330043524979038160282925669579808564669",
"110147692349848981539286867246792452317",
"112444827900497748135072156335289918115",
"86785129386990880817417334251433945543",
"39086526194484634361430461927233038131",
"11707601743025545273483820174494878323",
"58596175917088299940106171201693575945",
"148242724711789298394863091197540224515",
"25140028688739185774895957073348261127",
"325019186459557169542389460003072534112",
"194958183224686336252502095722104702526",
"322973512217322830364665836636311737454"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicServerManualConfiguration.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-c97cf77b",
"signature_type": "Line",
"digest": {
"line_hashes": [
"23002094923523951222699773488249996349",
"130091578209867618092953323736021423943",
"213208352082872479970700727763949398232",
"126346310258006946231055082506112523640",
"127579992634920259233379944650714847386",
"71421886310570502731742658067654327527",
"171157213275264433344269730767435624497",
"232672106298324254311697113265486465972",
"321760777197653370612088198091554850567",
"37159195187649693002430935745873365941",
"202172740987343283882852579855369900135"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/TestRealm.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-d7ebd35a",
"signature_type": "Line",
"digest": {
"line_hashes": [
"161317197119904493957361558825244779884",
"63369114150939990389630907483136381152",
"295649076160362864058949356817687832287",
"304898149437379446666749828901317430201",
"232702553952152118909275985523207818869",
"217170765236630448057097666318424834662",
"301019854247239615514928015183879433660"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/PluginTest.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2024-47806-e8f9209e",
"signature_type": "Line",
"digest": {
"line_hashes": [
"111517117560259178425056293319653484063",
"264027140702633219871725454386870732972",
"113478281016836838414648830953493031023",
"167795531525830302529803066793750666857",
"188748458584022324723966213549833092579",
"226042909789617629791837132891906519673",
"149768938167854899418931047981316298609",
"270142601276665064689079019402276037379",
"94010402263607502880783746979546887009",
"120422323437846852563766962965370014365",
"71697386865457945564738575538365628257",
"52366640225766735144145357928405877191",
"287827912097121876302756846823550023624",
"186721033519600290962218188544736055489"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/WellKnownOpenIDConfigurationResponse.java"
},
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3afbfcab96d4d3841e0e24b57f4ad5e7ee3013e4",
"signature_version": "v1",
"deprecated": false
}
]