CVE-2024-43045 Overview
CVE-2024-43045 is a Missing Authorization vulnerability affecting Jenkins 2.470 and earlier, as well as LTS 2.452.3 and earlier. The vulnerability stems from a missing permission check in an HTTP endpoint, which allows attackers with Overall/Read permission to access other users' "My Views" configurations. This represents a Broken Access Control flaw (CWE-862) that enables horizontal privilege escalation within Jenkins environments.
Critical Impact
Attackers with basic read access can view, modify, and potentially delete other users' custom Jenkins views, exposing sensitive build configurations and potentially disrupting CI/CD pipelines.
Affected Products
- Jenkins 2.470 and earlier (weekly releases)
- Jenkins LTS 2.452.3 and earlier (Long-Term Support releases)
- All Jenkins installations with users having Overall/Read permissions
Discovery Timeline
- 2024-08-07 - CVE-2024-43045 published to NVD
- 2024-08-07 - Jenkins releases security advisory SECURITY-3349
- 2025-03-25 - Last updated in NVD database
Technical Details for CVE-2024-43045
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a common access control flaw where the application fails to verify that a user is authorized to perform a specific action. In Jenkins, "My Views" is a feature that allows users to create personalized dashboard views of jobs and builds. The vulnerable HTTP endpoint responsible for handling "My Views" operations lacks proper permission validation, allowing any authenticated user with Overall/Read permission to access views belonging to other users.
The attack requires network access and authentication with basic read permissions. Due to the missing authorization check, attackers can enumerate and access views across user accounts, potentially exposing sensitive project configurations, build parameters, and organizational CI/CD structures.
Root Cause
The root cause is a missing permission check in the HTTP endpoint that handles access to user-specific views. Jenkins failed to validate whether the requesting user has authorization to access the specific "My Views" resource owned by another user. The endpoint correctly enforces Overall/Read permission but neglects to verify ownership or explicit sharing permissions for the target view.
Attack Vector
The attack can be performed remotely over the network by any authenticated Jenkins user with Overall/Read permission. The attacker constructs HTTP requests to the vulnerable endpoint, specifying another user's view identifier. Without proper authorization checks, Jenkins processes the request and returns the view data, regardless of ownership.
An attacker would typically:
- Authenticate to Jenkins with an account having Overall/Read permission
- Enumerate or guess view identifiers belonging to other users
- Send crafted HTTP requests to the vulnerable endpoint targeting those views
- Gain unauthorized access to view, modify, or delete other users' custom views
This vulnerability does not require user interaction and can be exploited programmatically to systematically access views across the Jenkins instance.
Detection Methods for CVE-2024-43045
Indicators of Compromise
- Unusual access patterns to /user/*/my-views/ endpoints from accounts that don't own those views
- HTTP requests attempting to access views with user identifiers different from the authenticated session
- Audit log entries showing view access or modifications by users who are not the view owners
- Increased enumeration activity targeting user view endpoints
Detection Strategies
- Monitor Jenkins audit logs for access to "My Views" endpoints by users other than the view owner
- Implement network monitoring rules to detect unusual patterns of requests to user-specific view endpoints
- Deploy application-layer detection for HTTP requests that attempt to access views across user boundaries
- Review Jenkins access logs for sequential or enumeration-style requests to view endpoints
Monitoring Recommendations
- Enable Jenkins audit logging and monitor for cross-user view access attempts
- Configure alerting for failed or unusual authorization patterns in Jenkins logs
- Implement SentinelOne Singularity platform monitoring for suspicious Jenkins process activity
- Regularly review user activity reports for anomalous view access patterns
How to Mitigate CVE-2024-43045
Immediate Actions Required
- Upgrade Jenkins weekly releases to version 2.471 or later
- Upgrade Jenkins LTS to version 2.452.4 or later
- Review Jenkins user permissions and restrict Overall/Read access to only necessary users
- Audit existing user views for any unauthorized modifications
Patch Information
Jenkins has addressed this vulnerability in their Security Advisory SECURITY-3349. The fix adds proper permission validation to the affected HTTP endpoint, ensuring users can only access their own "My Views" or views explicitly shared with them.
Administrators should update to:
- Jenkins weekly 2.471 or later
- Jenkins LTS 2.452.4 or later
Workarounds
- Restrict Overall/Read permission to only trusted users until patches can be applied
- Implement network-level access controls to limit who can reach Jenkins endpoints
- Use Jenkins' built-in matrix-based security to enforce stricter permission boundaries
- Consider temporarily disabling the "My Views" feature if not critical to operations
# Configuration example
# Verify Jenkins version after upgrade
java -jar jenkins-cli.jar -s http://localhost:8080/ version
# Review users with Overall/Read permission
# Navigate to: Manage Jenkins > Configure Global Security > Authorization
# Audit and restrict Overall/Read to minimum necessary users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
