CVE-2024-47804: 
Java vulnerability analysis and mitigation

CVE-2024-47804 is a medium severity vulnerability affecting Jenkins server that was discovered and disclosed on October 2, 2024. The vulnerability affects Jenkins versions 2.478 and earlier, as well as LTS 2.462.2 and earlier. This security flaw involves a bypass of item creation restrictions through the Jenkins CLI or REST API (Jenkins Advisory).

The vulnerability stems from Jenkins' APIs for fine-grained control of item creation, specifically involving ACL#hasCreatePermission2 and TopLevelItemDescriptor#isApplicableIn(ItemGroup). When attempting to create a prohibited item type through the Jenkins CLI or REST API, the affected versions create the item in memory while only deleting it from disk, rather than preventing the creation entirely. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

This vulnerability allows attackers with Item/Create permission to bypass item creation restrictions by creating temporary items. Furthermore, if an attacker has Item/Configure permission, they can persist these items by saving them, effectively circumventing the intended security controls (Jenkins Advisory).

The vulnerability has been fixed in Jenkins weekly version 2.479 and LTS version 2.462.3. In these updated versions, Jenkins does not retain the item in memory when an attempt is made to create a prohibited item type through the CLI or REST API. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Jenkins Advisory).