CVE-2024-47804

MEDIUM

Jenkins <2.478 - Auth Bypass

Title source: llm

Description

If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.

References (1)

[Vendor Advisory] https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448

Scores

CVSS v3 4.3

EPSS 0.0045

EPSS Percentile 63.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-843

Status published

Products (3)

jenkins/jenkins < 2.462.3

jenkins/jenkins < 2.479

org.jenkins-ci.main/jenkins-core 0 - 2.462.3Maven

Published Oct 02, 2024

Tracked Since Feb 18, 2026