CVE-2024-47807: Jenkins OpenId Connect Authentication Plugin lacks issuer claim validation

October 2, 2024

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP).

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.

References

github.com/advisories/GHSA-8pjw-fff6-3mjv
nvd.nist.gov/vuln/detail/CVE-2024-47807
www.jenkins.io/security/advisory/2024-10-02/

Detect and mitigate CVE-2024-47807 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →