According to its its self-reported version number, the version of Jenkins running on the remote web server is Jenkins LTS prior to 2.462.3 or Jenkins weekly prior to 2.479. It is, therefore, affected by multiple vulnerabilities: Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. (CVE-2024-47803) If an attempt is made to create an item of a type prohibited by ACL#hasCreatePermission2 or TopLevelItemDescriptor#isApplicableIn(ItemGroup) through the Jenkins CLI or the REST API and either of these checks fail, Jenkins 2.478 and earlier, LTS 2.462.2 and earlier creates the item in memory, only deleting it from disk, allowing attackers with Item/Configure permission to save the item to persist it, effectively bypassing the item creation restriction. (CVE-2024-47804) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version…Read More