GHSA-8pjw-fff6-3mjv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8pjw-fff6-3mjv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-8pjw-fff6-3mjv/GHSA-8pjw-fff6-3mjv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8pjw-fff6-3mjv
- Aliases
-
- CVE-2024-47807
- Published
- 2024-10-02T18:31:32Z
- Modified
- 2024-10-02T22:12:29.355835Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation
- Details
-
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the
iss(Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
OpenId Connect Authentication Plugin 4.355.v3afbfcab96d4 checks the
iss(Issuer) claim of an ID Token during its authentication flow when the Issuer is known. - Database specific
{ "nvd_published_at": "2024-10-02T16:15:10Z", "cwe_ids": [ "CWE-287" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-10-02T21:51:00Z" }- References
Affected packages
Maven / org.jenkins-ci.plugins:oic-auth
Package
- Name
- org.jenkins-ci.plugins:oic-auth
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/oic-auth
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.355.v3a
Affected versions
1.*
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
2.*
2.0.0
2.1
2.2
2.3
2.4
2.5
2.6
3.*
3.0
4.*
4.220.v22331f08e6a_3
4.223.v503b_9a_75a_8a_f
4.224.v62720cfa_026e
4.225.v03326773b_44b_
4.227.v36610663f760
4.228.v0c3e8682ff1f
4.229.vf736b_fec02f4
4.236.v4124503b_a_f88
4.238.v0021f710b_b_f4
4.239.v325750a_96f3b_
4.250.v5a_d993226437
4.257.v5360e8489e8b_
4.269.va_7526f34f306
4.279.vca_c1e2fdd24b_
4.284.v0cc21de03d37
4.290.v6f5e8da_e98b_2
4.297.vcddb_d8a_e4694
4.299.v5ca_eb_6a_f3e6d
4.303.v84089a_708ea_7
4.320.v23537cb_a_b_5c6
4.324.vfd49d010926b_
4.329.v994d3f265d68
4.330.v6fdfc07513e3
4.331.vd925b_f76f3a_c
4.340.ve70636c6590e
4.346.v10401f543622
4.350.v347c3b_8b_9d95
4.354.v321ce67a_1de8