If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
References
Link | Resource |
---|---|
https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
13 Nov 2024, 17:28
Type | Values Removed | Values Added |
---|---|---|
First Time |
Jenkins
Jenkins jenkins |
|
References | () https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448 - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:* |
04 Oct 2024, 13:50
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
02 Oct 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-02 16:15
Updated : 2024-11-13 17:28
NVD link : CVE-2024-47804
Mitre link : CVE-2024-47804
CVE.ORG link : CVE-2024-47804
JSON object : View
Products Affected
jenkins
- jenkins
CWE