CVE-2024-47807: 
Java vulnerability analysis and mitigation

The Jenkins OpenId Connect Authentication Plugin versions 4.354.v321ce67a_1de8 and earlier contain a critical security vulnerability identified as CVE-2024-47807. The vulnerability stems from the plugin's failure to validate the iss (Issuer) claim of an ID Token during the authentication flow. This claim is crucial as it identifies the Originating Party (IdP) in the OpenID Connect protocol (Jenkins Advisory).

The vulnerability is rated as High severity and affects the OpenID Connect Authentication plugin (oic-auth). The core issue lies in the authentication flow where the plugin fails to verify the iss (Issuer) claim, which is a fundamental security check in OpenID Connect protocol implementation. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its potential for significant impact (NIST NVD).

The vulnerability could allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins instances. This represents a critical security risk as it could lead to complete compromise of the Jenkins server and its associated resources (Security Online).

The vulnerability has been fixed in OpenId Connect Authentication Plugin version 4.355.v3afbfcab96d4. When updating to this version, users must ensure proper configuration: for 'Manual entry' configuration mode, the new 'Issuer' field must be populated after updating to protect from this issue. For 'Discovery via well-known endpoint' configuration, the Issuer will be set automatically (Jenkins Advisory).

The Jenkins project has acknowledged the severity of this vulnerability and credited James Nord from CloudBees, Inc. for discovering and reporting this security issue (Jenkins Advisory).