GHSA-49hx-9mm2-7675

Опубликовано: 02 окт. 2024

Источник: github

Github: Прошло ревью

CVSS4: 9.2

CVSS3: 8.1

Описание

Jenkins OpenId Connect Authentication Plugin lacks audience claim validation

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:oic-auth

maven

Затронутые версииВерсия исправления

< 4.355.v3a

4.355.v3a

EPSS

Процентиль: 40%

0.0018

Низкий

9.2 Critical

CVSS4

8.1 High

CVSS3

CVE ID

CVE-2024-47806

Дефекты

CWE-287

Связанные уязвимости

CVE-2024-47806

CVSS3: 8.1

nvd

больше 1 года назад

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

EPSS

Процентиль: 40%

0.0018

Низкий

9.2 Critical

CVSS4

8.1 High

CVSS3

CVE ID

CVE-2024-47806

Дефекты

CWE-287