CVE-2024-47807
📋 TL;DR
This vulnerability in Jenkins OpenId Connect Authentication Plugin allows attackers to bypass authentication by forging ID tokens without proper issuer validation. Attackers could gain unauthorized access, potentially with administrator privileges. All Jenkins instances using affected plugin versions are vulnerable.
💻 Affected Systems
- Jenkins OpenId Connect Authentication Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrator access to Jenkins, enabling complete system compromise, data theft, and deployment of malicious code.
Likely Case
Unauthorized users gain access to Jenkins with varying privilege levels, potentially accessing sensitive build data and executing arbitrary jobs.
If Mitigated
With proper network segmentation and monitoring, impact is limited to isolated Jenkins instances without lateral movement.
🎯 Exploit Status
Exploitation requires ability to forge ID tokens but doesn't require existing authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.355 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3441%20(2)
Restart Required: Yes
Instructions:
1. Access Jenkins plugin manager. 2. Update OpenId Connect Authentication Plugin to version 4.355 or later. 3. Restart Jenkins service.
🔧 Temporary Workarounds
Disable OpenId Connect Authentication
allTemporarily disable OpenId Connect authentication until patch can be applied
Navigate to Jenkins > Manage Jenkins > Configure Global Security > Security Realm > Select alternative authentication method
🧯 If You Can't Patch
- Implement network-level controls to restrict Jenkins access to trusted IP addresses only
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins > Manage Jenkins > Manage Plugins > Installed tab > OpenId Connect Authentication PluginCheck Version:
Check Jenkins web interface or plugin manager for version informationVerify Fix Applied:
Verify plugin version is 4.355 or higher and test OpenId Connect authentication functionality📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with mismatched issuer claims
- Successful logins from unexpected sources
Network Indicators:
- Unusual authentication traffic patterns to Jenkins
- External connections attempting OpenId Connect authentication
SIEM Query:
source="jenkins.log" AND ("OpenId Connect" OR "authentication failure") AND ("issuer" OR "token validation")