CVE-2024-47807

Name of the Vulnerable Software and Affected Versions Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier

Description The issue is related to a flaw in the authentication procedure of the Jenkins OpenId Connect plugin. This flaw allows a remote attacker to bypass the authentication process by exploiting the lack of verification of the iss (Issuer) claim in an ID Token. This could potentially grant the attacker administrator access to Jenkins.

Recommendations For Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a 1de8 and earlier, update to version 4.355.v3a fb fca b 96d4 or later, which includes a fix for this issue by checking the iss (Issuer) claim of an ID Token during the authentication flow when the Issuer is known. As a temporary workaround, consider restricting access to the Jenkins authentication flow to minimize the risk of exploitation until the update can be applied.