CVE-2024-47804

If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

History

13 Nov 2024, 17:28

Type Values Removed Values Added
First Time Jenkins
Jenkins jenkins
References () https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448 - () https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
CWE NVD-CWE-noinfo
CPE cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

04 Oct 2024, 13:50

Type Values Removed Values Added
Summary
  • (es) Si se intenta crear un elemento de un tipo prohibido por `ACL#hasCreatePermission2` o `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` a través de la CLI de Jenkins o la API REST y cualquiera de estas comprobaciones falla, Jenkins 2.478 y anteriores, LTS 2.462.2 y anteriores crean el elemento en la memoria, solo eliminándolo del disco, lo que permite a los atacantes con permiso de Elemento/Configurar guardar el elemento para persistirlo, eludiendo efectivamente la restricción de creación de elementos.

02 Oct 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-02 16:15

Updated : 2024-11-13 17:28


NVD link : CVE-2024-47804

Mitre link : CVE-2024-47804

CVE.ORG link : CVE-2024-47804


JSON object : View

Products Affected

jenkins

  • jenkins