opensearch-build
opensearch-build copied to clipboard
opensearch-project
CVE-2024-47804 (Medium) detected in jenkins-core-2.426.3.jar
CVE-2024-47804 - Medium Severity Vulnerability
Vulnerable Library - jenkins-core-2.426.3.jar
Jenkins core code and view files to render HTML.
Library home page: https://github.com/jenkinsci/jenkins
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.main/jenkins-core/2.426.3/eee94c4c0c78e715d2a599eb66a5a89c5eed9d18/jenkins-core-2.426.3.jar
Dependency Hierarchy:
- :x: jenkins-core-2.426.3.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
If an attempt is made to create an item of a type prohibited by ACL#hasCreatePermission2 or TopLevelItemDescriptor#isApplicableIn(ItemGroup) through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.
Publish Date: 2024-10-02
URL: CVE-2024-47804
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448
Release Date: 2024-10-02
Fix Resolution: org.jenkins-ci.main:jenkins-core:2.462.3,2.479
- [ ] Check this box to open an automated fix PR
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "Published by a pub.dev verified publisher"){kind=small}