Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/11960?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11960?format=api", "vulnerability_id": "VCID-vpxs-mxz3-xqch", "summary": "Jenkins item creation restriction bypass vulnerability\nJenkins provides APIs for fine-grained control of item creation:\n\n- Authorization strategies can prohibit the creation of items of a given type in a given item group (`ACL#hasCreatePermission2`).\n\n- Item types can prohibit creation of new instances in a given item group (`TopLevelItemDescriptor#isApplicableIn(ItemGroup)`).\n\nIf an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.\n\nThis allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.\n\nIf an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.", "aliases": [ { "alias": "CVE-2024-47804" }, { "alias": "GHSA-f9qj-77q2-h5c5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/43037?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.462.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.462.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/43045?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.479", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.479" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/146272?format=api", "purl": "pkg:maven/org.jenkins-ci.main/jenkins-core@2.466", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.466" }, { "url": "http://public2.vulnerablecode.io/api/packages/92338?format=api", "purl": "pkg:rpm/redhat/jenkins@2.462.3.1729837947-3?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1729837947-3%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/92340?format=api", "purl": "pkg:rpm/redhat/jenkins@2.462.3.1729839727-3?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1729839727-3%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/92336?format=api", "purl": "pkg:rpm/redhat/jenkins@2.462.3.1729839924-3?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1729839924-3%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/92335?format=api", "purl": "pkg:rpm/redhat/jenkins@2.462.3.1730119132-3?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-qnbx-c635-hqer" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1730119132-3%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/92334?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-qnbx-c635-hqer" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/92339?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.13.1729840148-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.13.1729840148-1%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/92337?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.14.1729839844-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.14.1729839844-1%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/92341?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.15.1729838165-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1bh8-3gb1-4ben" }, { "vulnerability": "VCID-jarz-xtnw-ufbz" }, { "vulnerability": "VCID-mkf8-a5k3-83fs" }, { "vulnerability": "VCID-vpxs-mxz3-xqch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.15.1729838165-1%3Farch=el8" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47804", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63619", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63538", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.6359", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63607", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63622", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63606", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63609", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63618", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63601", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63545", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00448", "scoring_system": "epss", "scoring_elements": "0.63573", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47804" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47804", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47804" }, { "reference_url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" }, { "value": "5.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T16:31:07Z/" } ], "url": "https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316131", "reference_id": "2316131", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2316131" }, { "reference_url": "https://github.com/advisories/GHSA-f9qj-77q2-h5c5", "reference_id": "GHSA-f9qj-77q2-h5c5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f9qj-77q2-h5c5" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8884", "reference_id": "RHSA-2024:8884", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8884" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8885", "reference_id": "RHSA-2024:8885", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8885" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8886", "reference_id": "RHSA-2024:8886", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8886" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8887", "reference_id": "RHSA-2024:8887", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8887" } ], "weaknesses": [ { "cwe_id": 843, "name": "Access of Resource Using Incompatible Type ('Type Confusion')", "description": "The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type." }, { "cwe_id": 863, "name": "Incorrect Authorization", "description": "The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions." }, { "cwe_id": 1220, "name": "Insufficient Granularity of Access Control", "description": "The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vpxs-mxz3-xqch" }