​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-8x9v-cf96-pv47

Published

Last updated

https://images.chainguard.dev/security/CGA-8x9v-cf96-pv47
Package

jenkins-2.462

Latest Update
Fixed
Fixed Version

2.462.3-r0

Aliases
  • CVE-2024-47804
  • GHSA-f9qj-77q2-h5c5

Severity

4.3

Medium

CVSS V3

Summary

Jenkins item creation restriction bypass vulnerability

Description

Jenkins provides APIs for fine-grained control of item creation:

  • Authorization strategies can prohibit the creation of items of a given type in a given item group (ACL#hasCreatePermission2).

  • Item types can prohibit creation of new instances in a given item group (TopLevelItemDescriptor#isApplicableIn(ItemGroup)).

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.

This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-47804
  • https://github.com/advisories/GHSA-f9qj-77q2-h5c5
  • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation