Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-49hx-9mm2-7675

GitHub Security Advisory

Jenkins OpenId Connect Authentication Plugin lacks audience claim validation

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client.

This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.

OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the `aud` (Audience) claim of an ID Token during its authentication flow.

Affected Packages

Maven org.jenkins-ci.plugins:oic-auth
Affected versions: 0 (fixed in 4.355.v3a)

Related CVEs

CVE-2024-47806

Key Information

GHSA ID
GHSA-49hx-9mm2-7675
Published
October 2, 2024 6:31 PM
Last Modified
October 2, 2024 9:50 PM
CVSS Score
9.0 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.plugins:oic-auth
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.