Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-49hx-9mm2-7675: Jenkins OpenId Connect Authentication Plugin lacks audience claim validation

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.

ghsa
#vulnerability#git#java#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-47806

Jenkins OpenId Connect Authentication Plugin lacks audience claim validation

Critical severity GitHub Reviewed Published Oct 2, 2024 to the GitHub Advisory Database • Updated Oct 2, 2024

Package

maven org.jenkins-ci.plugins:oic-auth (Maven)

Affected versions

< 4.355.v3a

Patched versions

4.355.v3a

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-47806
  • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(1)

Published to the GitHub Advisory Database

Oct 2, 2024

ghsa: Latest News

GHSA-gppm-hq3p-h4rp: Git credentials are exposed in Atlantis logs