CVE-2024-47804

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.478 and earlier, LTS 2.462.2 and earlier

Description The issue is related to insufficient access control in Jenkins, allowing attackers to bypass item creation restrictions. If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the checks fail, Jenkins creates the item in memory, only deleting it from disk. This allows attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction. The checks that may fail include ACL#hasCreatePermission2 or TopLevelItemDescriptor#isApplicableIn(ItemGroup).

Recommendations For Jenkins versions 2.478 and earlier, LTS 2.462.2 and earlier, consider disabling the ACL#hasCreatePermission2 and TopLevelItemDescriptor#isApplicableIn(ItemGroup) functions until a patch is available to prevent attackers from bypassing item creation restrictions. As a temporary workaround, restrict access to the Jenkins CLI and REST API to minimize the risk of exploitation. Avoid using the Item/Configure permission in the affected Jenkins versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.