Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-vpxs-mxz3-xqch
Summary
Jenkins item creation restriction bypass vulnerability
Jenkins provides APIs for fine-grained control of item creation:

- Authorization strategies can prohibit the creation of items of a given type in a given item group (`ACL#hasCreatePermission2`).

- Item types can prohibit creation of new instances in a given item group (`TopLevelItemDescriptor#isApplicableIn(ItemGroup)`).

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk.

This allows attackers with Item/Create permission to bypass these restrictions, creating a temporary item. With Item/Configure permission, they can also save the item to persist it.

If an attempt is made to create an item of a prohibited type through the Jenkins CLI or the REST API and either of the above checks fail, Jenkins 2.479, LTS 2.462.3 does not retain the item in memory.
Aliases
0
alias CVE-2024-47804
1
alias GHSA-f9qj-77q2-h5c5
Fixed_packages
0
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.462.3
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.462.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.462.3
1
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.479
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.479
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.479
Affected_packages
0
url pkg:maven/org.jenkins-ci.main/jenkins-core@2.466
purl pkg:maven/org.jenkins-ci.main/jenkins-core@2.466
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jarz-xtnw-ufbz
1
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.main/jenkins-core@2.466
1
url pkg:rpm/redhat/jenkins@2.462.3.1729837947-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.462.3.1729837947-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1729837947-3%3Farch=el8
2
url pkg:rpm/redhat/jenkins@2.462.3.1729839727-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.462.3.1729839727-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1729839727-3%3Farch=el8
3
url pkg:rpm/redhat/jenkins@2.462.3.1729839924-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.462.3.1729839924-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1729839924-3%3Farch=el8
4
url pkg:rpm/redhat/jenkins@2.462.3.1730119132-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.462.3.1730119132-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-qnbx-c635-hqer
4
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1730119132-3%3Farch=el8
5
url pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-qnbx-c635-hqer
4
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1%3Farch=el8
6
url pkg:rpm/redhat/jenkins-2-plugins@4.13.1729840148-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.13.1729840148-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.13.1729840148-1%3Farch=el8
7
url pkg:rpm/redhat/jenkins-2-plugins@4.14.1729839844-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.14.1729839844-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.14.1729839844-1%3Farch=el8
8
url pkg:rpm/redhat/jenkins-2-plugins@4.15.1729838165-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.15.1729838165-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.15.1729838165-1%3Farch=el8
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47804.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47804
reference_id
reference_type
scores
0
value 0.00448
scoring_system epss
scoring_elements 0.63642
published_at 2026-05-07T12:55:00Z
1
value 0.00448
scoring_system epss
scoring_elements 0.63606
published_at 2026-04-12T12:55:00Z
2
value 0.00448
scoring_system epss
scoring_elements 0.63609
published_at 2026-04-16T12:55:00Z
3
value 0.00448
scoring_system epss
scoring_elements 0.63618
published_at 2026-04-18T12:55:00Z
4
value 0.00448
scoring_system epss
scoring_elements 0.63601
published_at 2026-04-21T12:55:00Z
5
value 0.00448
scoring_system epss
scoring_elements 0.63619
published_at 2026-04-24T12:55:00Z
6
value 0.00448
scoring_system epss
scoring_elements 0.63632
published_at 2026-04-26T12:55:00Z
7
value 0.00448
scoring_system epss
scoring_elements 0.63626
published_at 2026-04-29T12:55:00Z
8
value 0.00448
scoring_system epss
scoring_elements 0.63599
published_at 2026-05-05T12:55:00Z
9
value 0.00448
scoring_system epss
scoring_elements 0.63545
published_at 2026-04-02T12:55:00Z
10
value 0.00448
scoring_system epss
scoring_elements 0.63573
published_at 2026-04-13T12:55:00Z
11
value 0.00448
scoring_system epss
scoring_elements 0.63538
published_at 2026-04-07T12:55:00Z
12
value 0.00448
scoring_system epss
scoring_elements 0.6359
published_at 2026-04-08T12:55:00Z
13
value 0.00448
scoring_system epss
scoring_elements 0.63607
published_at 2026-04-09T12:55:00Z
14
value 0.00448
scoring_system epss
scoring_elements 0.63622
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47804
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47804
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47804
3
reference_url https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T16:31:07Z/
url https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3448
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2316131
reference_id 2316131
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2316131
5
reference_url https://github.com/advisories/GHSA-f9qj-77q2-h5c5
reference_id GHSA-f9qj-77q2-h5c5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-f9qj-77q2-h5c5
6
reference_url https://access.redhat.com/errata/RHSA-2024:8884
reference_id RHSA-2024:8884
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8884
7
reference_url https://access.redhat.com/errata/RHSA-2024:8885
reference_id RHSA-2024:8885
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8885
8
reference_url https://access.redhat.com/errata/RHSA-2024:8886
reference_id RHSA-2024:8886
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8886
9
reference_url https://access.redhat.com/errata/RHSA-2024:8887
reference_id RHSA-2024:8887
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8887
Weaknesses
0
cwe_id 843
name Access of Resource Using Incompatible Type ('Type Confusion')
description The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
1
cwe_id 863
name Incorrect Authorization
description The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
2
cwe_id 1220
name Insufficient Granularity of Access Control
description The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
4
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-vpxs-mxz3-xqch