CVE-2024-47806: Jenkins OpenId Connect Authentication Plugin lacks audience claim validation

October 2, 2024

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.

References

github.com/advisories/GHSA-49hx-9mm2-7675
nvd.nist.gov/vuln/detail/CVE-2024-47806
www.jenkins.io/security/advisory/2024-10-02/

Detect and mitigate CVE-2024-47806 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →