Jenkins Security Bulletin: Multiple CVEs (Info Leak, Bypass, Credential Leak, OIDC Auth)

From this webpage screenshot, the following key information about vulnerabilities can be obtained: 1. Vulnerability IDs and Types: - SECURITY-3451 / CVE-2024-7803: Exposure of multi-line secrets via error messages in Jenkins. - SECURITY-3448 / CVE-2024-47804: Project creation restriction bypass vulnerability in Jenkins. - SECURITY-3373 / CVE-2024-47805: Leakage of encrypted credentials via extension read permissions in the Credentials plugin. - SECURITY-3441 (1) / CVE-2024-47806: Lack of audience claim validation in the OpenID Connect authentication plugin. - SECURITY-3441 (2) / CVE-2024-47807: Lack of issuer claim validation in the OpenID Connect authentication plugin. 2. Vulnerability Descriptions: - SECURITY-3451: Jenkins exposes multi-line secrets in error messages. - SECURITY-3448: Jenkins allows bypassing project creation restrictions. - SECURITY-3373: The Credentials plugin leaks encrypted credentials. - SECURITY-3441 (1): The OpenID authentication plugin does not validate audience claims. - SECURITY-3441 (2): The OpenID authentication plugin does not validate issuer claims. 3. Affected Versions: - Jenkins weekly: Versions 2.478 and earlier. - Jenkins LTS: Versions 2.462.2 and earlier. - Credentials plugin: Versions 1380.va_435002fa_924 and earlier. - OpenID authentication plugin: Versions 4.354.v321ce67a_1de8 and earlier. 4. Remediation: - Upgrade to the specified versions to fix the above vulnerabilities. 5. Credits: - Thanks to the individuals who reported these vulnerabilities. This information helps users understand the security vulnerabilities present in Jenkins, the affected version ranges, and how to remediate them by upgrading to the latest versions.

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Security Bulletin: Multiple CVEs (Info Leak, Bypass, Credential Leak, OIDC Auth)