CVE-2024-47806
Jenkins OpenId Connect Authentication Plugin lacks audience claim validation
8.1
HIGH
CVSS 3.1
EPSS 0.24%
Description
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the `aud` (Audience) claim of an ID Token during its authentication flow.
How to fix CVE-2024-47806
To remediate CVE-2024-47806, upgrade the affected package to a fixed version below.
- —upgrade to 4.355.v3a or later
Is CVE-2024-47806 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.355.v3a
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |