2316131 – (CVE-2024-47804) CVE-2024-47804 jenkins: Item creation restriction bypass vulnerability

Bug 2316131 (CVE-2024-47804) - CVE-2024-47804 jenkins: Item creation restriction bypass vulnerability

Summary: CVE-2024-47804 jenkins: Item creation restriction bypass vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2024-47804
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-10-02 16:01 UTC by OSIDB Bzimport
Modified:	2024-10-02 21:09 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-10-02 16:01:52 UTC

If an attempt is made to create an item of a type prohibited by `ACL#hasCreatePermission2` or `TopLevelItemDescriptor#isApplicableIn(ItemGroup)` through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction.

Note You need to log in before you can comment on or make changes to this bug.