CVE-2024-47804
MEDIUMJenkins < 2.462.3 and < 2.479 - Unauthenticated Item Creation Restriction Bypass via CLI or REST API
Title source: llmDescription
If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448
Scores
CVSS v3
4.3
EPSS
0.0068
EPSS Percentile
47.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-843
Status
published
Products (3)
jenkins/jenkins
< 2.462.3
jenkins/jenkins
< 2.479
org.jenkins-ci.main/jenkins-core
0 - 2.462.3Maven
Published
Oct 02, 2024
Tracked Since
Feb 18, 2026