Moderate severityNVD Advisory· Published Oct 2, 2024· Updated Mar 14, 2025
CVE-2024-47804
CVE-2024-47804
Description
If an attempt is made to create an item of a type prohibited by ACL#hasCreatePermission2 or TopLevelItemDescriptor#isApplicableIn(ItemGroup) through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.main:jenkins-coreMaven | < 2.462.3 | 2.462.3 |
org.jenkins-ci.main:jenkins-coreMaven | >= 2.466, < 2.479 | 2.479 |
Affected products
4- osv-coords3 versions
< 2.462.3-r0+ 2 more
- (no CPE)range: < 2.462.3-r0
- (no CPE)range: < 2.462.3
- (no CPE)range: < 2.462.3
- Range: 2.462.3
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-f9qj-77q2-h5c5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47804ghsaADVISORY
- www.jenkins.io/security/advisory/2024-10-02/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2024-10-02Jenkins Security Advisories · Oct 2, 2024