Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8pjw-fff6-3mjv: Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.

ghsa
Open in Source
#vulnerability#git#java#auth#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-47807

Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation

Critical severity GitHub Reviewed Published Oct 2, 2024 to the GitHub Advisory Database • Updated Oct 2, 2024

Package

maven org.jenkins-ci.plugins:oic-auth (Maven)

Affected versions

< 4.355.v3a

Patched versions

4.355.v3a

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-47807
  • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(2)

Published to the GitHub Advisory Database

Oct 2, 2024

ghsa: Latest News

GHSA-f8x4-f32r-w556: PyO3 has a risk of use-after-free in `borrowed` reads from Python weak references
ghsa