CVE-2024-47806 Overview
CVE-2024-47806 affects the Jenkins OpenId Connect Authentication Plugin version 4.354.v321ce67a_1de8 and earlier. The plugin fails to validate the aud (Audience) claim of an ID Token during the OpenID Connect (OIDC) authentication flow. Attackers can subvert the authentication process by presenting tokens issued for a different relying party. Successful exploitation can grant administrator access to Jenkins instances configured with this plugin. The flaw is categorized under [CWE-287] Improper Authentication.
Critical Impact
Attackers can bypass OIDC authentication and obtain administrator-level access to vulnerable Jenkins controllers.
Affected Products
- Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier
- Jenkins controllers configured with the affected plugin for OIDC single sign-on
- Any CI/CD pipeline relying on the vulnerable plugin for identity federation
Discovery Timeline
- 2024-10-02 - Jenkins releases security advisory SECURITY-3441
- 2024-10-02 - CVE-2024-47806 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-47806
Vulnerability Analysis
The Jenkins OpenId Connect Authentication Plugin implements OIDC-based single sign-on for Jenkins controllers. During the token validation phase, the plugin verifies the issuer, signature, and expiration of incoming ID Tokens. The plugin does not validate the aud (Audience) claim, which identifies the intended recipient of the token.
Without audience validation, the plugin accepts any token signed by the trusted identity provider, regardless of which client application the token was issued for. An attacker who obtains an ID Token issued for a different relying party that shares the same identity provider can replay that token against Jenkins. The plugin treats the token as valid and authenticates the attacker under the identity contained in the token. If that identity maps to a Jenkins administrator account, the attacker gains full control of the Jenkins instance.
Root Cause
The root cause is missing audience claim verification, a required step in [RFC 7519] and the OpenID Connect Core specification. Token validators must confirm that the aud claim contains the client identifier of the relying party. The plugin omitted this check, breaking the trust boundary between distinct OIDC clients sharing one identity provider.
Attack Vector
Exploitation requires the attacker to obtain a valid ID Token signed by the identity provider trusted by the Jenkins instance. The token can originate from any application registered with that provider. The attacker submits the token to the Jenkins OIDC callback endpoint. Jenkins validates the signature and issuer, skips the audience check, and establishes an authenticated session matching the subject in the token. The attack vector is network-based and does not require prior credentials on Jenkins itself.
No public proof-of-concept exploit is currently available for this issue. Refer to the Jenkins Security Advisory for additional technical context.
Detection Methods for CVE-2024-47806
Indicators of Compromise
- Jenkins authentication events showing OIDC logins from subjects that do not correspond to registered Jenkins users
- Successful administrator logins immediately following access to the /securityRealm/finishLogin callback endpoint
- ID Tokens in proxy or web server logs containing aud claims that differ from the Jenkins client identifier
- New administrator accounts, job creations, or credential exports occurring shortly after suspicious OIDC callbacks
Detection Strategies
- Inspect Jenkins access logs for OIDC callback requests originating from unexpected IP ranges or user agents
- Correlate identity provider audit logs against Jenkins login events to detect tokens issued for other clients reaching Jenkins
- Audit installed plugin versions against the fixed release listed in the Jenkins security advisory
- Review Jenkins audit trail for privilege changes, new credentials, and pipeline modifications during the exposure window
Monitoring Recommendations
- Forward Jenkins $JENKINS_HOME/logs and reverse proxy logs to a centralized logging platform for retention and analysis
- Alert on unauthorized configuration changes, new administrator role assignments, and bulk credential access on Jenkins
- Monitor outbound network traffic from Jenkins agents for connections to unfamiliar hosts after suspicious logins
How to Mitigate CVE-2024-47806
Immediate Actions Required
- Upgrade the Jenkins OpenId Connect Authentication Plugin to version 4.355.v3a_fb_fca_b_96d4 or later
- Rotate Jenkins API tokens, SSH keys, and stored credentials that may have been exposed during the vulnerable period
- Review administrator group membership and remove any accounts that cannot be attributed to legitimate users
- Restrict network access to the Jenkins controller to trusted networks while patching is in progress
Patch Information
Jenkins published advisory SECURITY-3441 on 2024-10-02 with a fixed plugin release that validates the aud claim against the configured client identifier. Administrators should update through the Jenkins Plugin Manager and restart the controller. Detailed remediation guidance is available in the Jenkins Security Advisory.
Workarounds
- Disable the OpenId Connect Authentication Plugin and revert to an alternative authentication realm until the patch is applied
- Restrict the identity provider to issue tokens only for the Jenkins client identifier where feasible
- Place Jenkins behind a reverse proxy that enforces additional access controls such as IP allow-listing or mutual TLS
# Verify the installed plugin version on the Jenkins controller
jenkins-cli -s https://jenkins.example.com/ list-plugins | grep oic-auth
# Upgrade via Jenkins CLI after downloading the fixed release
jenkins-cli -s https://jenkins.example.com/ install-plugin oic-auth -restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
