CVE-2024-47806

Vulnerability

Overview

CVE-2024-47806 is a missing aud (Audience) claim validation in the Jenkins OpenId Connect Authentication Plugin, versions 4.354.v321ce67a_1de8 and earlier. According to the official description and advisory [1][2], the plugin does not verify that the ID Token's audience claim matches the expected client ID. This flaw allows an attacker to craft or reuse tokens intended for a different relying party, thereby subverting the authentication flow.

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must be able to provide a malicious OpenID Connect ID Token to the Jenkins instance during authentication. The attack does not require prior network access or credentials because the vulnerable plugin will accept a token without verifying its intended audience [2]. By presenting a token with a manipulated aud claim, the attacker can impersonate any user that the token claims to represent.

Impact

Successful exploitation can lead to unauthorized access with any privilege level, including full administrative control of the Jenkins instance [1][2]. Since Jenkins administrators can execute arbitrary scripts and manage configurations, this could result in data exposure, system compromise, or lateral movement within the network.

Mitigation

Jenkins has released version 4.355.vb_ffe5f9ee1c2 of the OpenId Connect Authentication Plugin, which properly checks the aud claim [2]. Users should upgrade immediately. There is no indication that a workaround exists for earlier versions, making upgrading the only effective mitigation.