CVE-2024-47807
Description
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins OpenId Connect Authentication Plugin ≤4.354.v321ce67a_1de8 fails to validate the ID Token 'iss' claim, enabling authentication bypass to admin access.
Vulnerability
The Jenkins OpenId Connect Authentication Plugin, versions 4.354.v321ce67a_1de8 and earlier, does not verify the iss (Issuer) claim in the ID Token received during the OpenID Connect authentication flow [1]. This omission means the plugin accepts tokens from any issuer, not just the trusted identity provider.
Exploitation
An attacker can craft or obtain a valid ID Token from a different, potentially malicious, OpenID provider and present it during login. Because the plugin ignores the iss claim, it cannot distinguish between a token intended for the Jenkins instance and a token issued by an attacker-controlled provider [2]. The attack does not require prior authentication; it targets the initial login process.
Impact
Successful exploitation allows the attacker to subvert the authentication flow and potentially gain administrator access to Jenkins [1]. Once authenticated with a forged token, the attacker may have full control over the Jenkins instance, including the ability to execute build jobs, manage credentials, and access sensitive data.
Mitigation
Jenkins has released version 4.355.v6a_8a_c559c8b_2 of the OpenId Connect Authentication Plugin, which adds proper validation of the iss claim [2]. All users are strongly advised to update immediately. No workaround is available for older versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:oic-authMaven | < 4.355.v3a | 4.355.v3a |
Affected products
2- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8pjw-fff6-3mjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47807ghsaADVISORY
- www.jenkins.io/security/advisory/2024-10-02/ghsavendor-advisoryWEB
News mentions
1- Jenkins Security Advisory 2024-10-02Jenkins Security Advisories · Oct 2, 2024