CVE-2024-47804
Description
If an attempt is made to create an item of a type prohibited by ACL#hasCreatePermission2 or TopLevelItemDescriptor#isApplicableIn(ItemGroup) through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins fails to delete prohibited items from memory, allowing attackers with Item/Configure to persist them and bypass creation restrictions.
Vulnerability
Details
Jenkins provides APIs for fine-grained control of item creation, including authorization strategies (via ACL#hasCreatePermission2) and item type restrictions (via TopLevelItemDescriptor#isApplicableIn(ItemGroup)). However, if an attempt to create a prohibited item is made through the Jenkins CLI or REST API and either check fails, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory and only deletes it from disk [1][2].
Exploitation
An attacker with Item/Create permission can exploit this by attempting to create an item of a prohibited type, resulting in a temporary item in memory. With additional Item/Configure permission, the attacker can then save the item, persisting it and effectively bypassing the creation restriction [2].
Impact
Successful exploitation allows an attacker to create items that should be prohibited, potentially leading to unauthorized configurations or further compromise depending on the item type.
Mitigation
Jenkins 2.479 and LTS 2.462.3 fix this issue by not retaining prohibited items in memory after a failed creation attempt [2]. Users should upgrade to these versions or apply the provided patch.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.462.3 | 2.462.3 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.466, < 2.479 | 2.479 |
Affected products
4- osv-coords3 versions
< 2.462.3-r0+ 2 more
- (no CPE)range: < 2.462.3-r0
- (no CPE)range: < 2.462.3
- (no CPE)range: < 2.462.3
- Jenkins Project/Jenkinsv5Range: 2.462.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f9qj-77q2-h5c5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47804ghsaADVISORY
- www.jenkins.io/security/advisory/2024-10-02/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2024-10-02Jenkins Security Advisories · Oct 2, 2024