CVE-2024-47804 — Vulnetix

CVE-2024-47804 PUBLISHED

If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.

EPSS 0.45% · 63.8th percentile

Risk Scores

EPSS Score

0.45%

63.8th percentile

Affected Products

Vendor	Product	Versions
Bitnami	jenkins	0
Bitnami	jenkins	0

Timeline

Oct 2, 2024 CVE Published
Oct 3, 2024 EPSS Score
Oct 5, 2024 Coalition ESS Score
Oct 22, 2024 EPSS Score
Nov 10, 2024 EPSS Score
Nov 14, 2024 Coalition ESS Score
Nov 29, 2024 EPSS Score
Dec 19, 2024 EPSS Score
Dec 28, 2024 Coalition ESS Score
Jan 26, 2025 EPSS Score
Feb 14, 2025 EPSS Score
Mar 5, 2025 EPSS Score

References

https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448 url
https://nvd.nist.gov/vuln/detail/CVE-2024-47804 url

Open in Interactive Console →