GHSA-49hx-9mm2-7675
Suggest an improvement- Source
- https://github.com/advisories/GHSA-49hx-9mm2-7675
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-49hx-9mm2-7675/GHSA-49hx-9mm2-7675.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-49hx-9mm2-7675
- Aliases
-
- CVE-2024-47806
- Published
- 2024-10-02T18:31:32Z
- Modified
- 2024-10-02T22:12:29.272348Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Jenkins OpenId Connect Authentication Plugin lacks audience claim validation
- Details
-
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the
aud(Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
OpenId Connect Authentication Plugin 4.355.v3afbfcab96d4 checks the
aud(Audience) claim of an ID Token during its authentication flow. - Database specific
{ "nvd_published_at": "2024-10-02T16:15:10Z", "cwe_ids": [ "CWE-287" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-10-02T21:50:53Z" }- References
Affected packages
Maven / org.jenkins-ci.plugins:oic-auth
Package
- Name
- org.jenkins-ci.plugins:oic-auth
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/oic-auth
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.355.v3a
Affected versions
1.*
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
2.*
2.0.0
2.1
2.2
2.3
2.4
2.5
2.6
3.*
3.0
4.*
4.220.v22331f08e6a_3
4.223.v503b_9a_75a_8a_f
4.224.v62720cfa_026e
4.225.v03326773b_44b_
4.227.v36610663f760
4.228.v0c3e8682ff1f
4.229.vf736b_fec02f4
4.236.v4124503b_a_f88
4.238.v0021f710b_b_f4
4.239.v325750a_96f3b_
4.250.v5a_d993226437
4.257.v5360e8489e8b_
4.269.va_7526f34f306
4.279.vca_c1e2fdd24b_
4.284.v0cc21de03d37
4.290.v6f5e8da_e98b_2
4.297.vcddb_d8a_e4694
4.299.v5ca_eb_6a_f3e6d
4.303.v84089a_708ea_7
4.320.v23537cb_a_b_5c6
4.324.vfd49d010926b_
4.329.v994d3f265d68
4.330.v6fdfc07513e3
4.331.vd925b_f76f3a_c
4.340.ve70636c6590e
4.346.v10401f543622
4.350.v347c3b_8b_9d95
4.354.v321ce67a_1de8