CVE-2024-47806: 
Java vulnerability analysis and mitigation

The Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a_1de8 and earlier contain a high-severity vulnerability (CVE-2024-47806) discovered in October 2024. The vulnerability stems from the plugin's failure to validate the aud (Audience) claim of an ID Token during the authentication flow, which is meant to verify that the token is issued for the correct client (Jenkins Advisory).

The vulnerability exists in the authentication flow of the OpenId Connect Authentication Plugin where it fails to perform proper validation of the aud (Audience) claim in ID Tokens. This claim is crucial for verifying that the token was issued for the intended client. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins instances. This represents a significant security risk as it could lead to complete compromise of the Jenkins server (SecurityWeek, Security Online).

Users are strongly advised to update to OpenId Connect Authentication Plugin version 4.355.v3a_fb_fca_b_96d4, which implements proper validation of the aud (Audience) claim during the ID Token authentication flow (Jenkins Advisory).

The security community has emphasized the severity of this vulnerability alongside other Jenkins security issues discovered in the same timeframe. Security researchers and industry experts have urged immediate updates to affected systems (SecurityWeek).