CVE-2024-47806

Name of the Vulnerable Software and Affected Versions Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier

Description The issue concerns the Jenkins OpenId Connect Authentication Plugin, which does not check the aud (Audience) claim of an ID Token during its authentication flow. This allows attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. The aud claim is a value used to verify that the token is issued for the correct client.

Recommendations For Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier, update to version 4.355.v3a fb fca b 96d4 or later, which checks the aud (Audience) claim of an ID Token during its authentication flow. As a temporary workaround, consider reviewing configurations for unauthorized access and restricting access to sensitive areas of Jenkins until the update can be applied.