CVE-2024-43045 – This vulnerability in Jenkins allows attackers ... (How to Fix)

Q: What is the severity of CVE-2024-43045?

CVE-2024-43045 has a CVSS score of 6.3 (MEDIUM). This vulnerability in Jenkins allows attackers with Overall/Read permission to access other users' 'My Views' without proper authorization. It affects Jenkins versions 2.470 and earlier, and LTS 2.452.3 and earlier. This enables unauthorized viewing of other users' dashboard configurations.

📋 TL;DR

This vulnerability in Jenkins allows attackers with Overall/Read permission to access other users' 'My Views' without proper authorization. It affects Jenkins versions 2.470 and earlier, and LTS 2.452.3 and earlier. This enables unauthorized viewing of other users' dashboard configurations.

💻 Affected Systems

Products:

Jenkins

Versions: Jenkins 2.470 and earlier, Jenkins LTS 2.452.3 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have Overall/Read permission. All Jenkins installations with affected versions are vulnerable by default.

📦 What is this software?

Jenkins by Jenkins

View all CVEs affecting Jenkins →

Jenkins by Jenkins

View all CVEs affecting Jenkins →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive information from other users' views, potentially exposing internal project structures, build configurations, or sensitive job names that should be restricted.

🟠

Likely Case

Unauthorized users accessing other users' view configurations, potentially revealing organizational structure or project information that should be restricted.

🟢

If Mitigated

Limited exposure of non-sensitive view configurations with proper network segmentation and access controls in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with Overall/Read permission. The vulnerability is in an HTTP endpoint that lacks proper permission checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Jenkins 2.471, Jenkins LTS 2.452.4

Vendor Advisory: https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3349

Restart Required: Yes

Instructions:

1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.471 or Jenkins LTS 2.452.4. 3. Restart Jenkins service. 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Restrict Overall/Read Permissions

all

Limit users with Overall/Read permission to only trusted administrators to reduce attack surface.

Manage Jenkins > Configure Global Security > Matrix-based security or Role-based strategy

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jenkins from untrusted networks
Review and minimize users with Overall/Read permission to essential personnel only

🔍 How to Verify

Check if Vulnerable:

Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'

Check Version:

java -jar jenkins.war --version

Verify Fix Applied:

Verify version is 2.471 or higher (or LTS 2.452.4 or higher) and test that users with only Overall/Read cannot access other users' My Views

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /user/[username]/my-views endpoint from non-admin users
Multiple failed permission checks for view access

Network Indicators:

HTTP requests to user-specific view endpoints from unauthorized accounts

SIEM Query:

source="jenkins" AND (uri="/user/*/my-views" OR message="*permission*check*failed*view*")

📊 Metadata

CVE ID: CVE-2024-43045

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-862

Published: August 7, 2024

Last Updated: March 25, 2025

🔗 References

https://www.jenkins.io/security/advisory/2024-08-07/#SECURITY-3349 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43045, you might also want to check these: