Case Insensitivity Vulnerability in Jenkins OpenId Connect Authentication Plugin
CVE-2025-24399
8.8HIGH
Key Information:
- Vendor
- Jenkins
- Vendor
- CVE Published:
- 22 January 2025
Summary
The Jenkins OpenId Connect Authentication Plugin misinterprets username case sensitivity, enabling attackers to log in as any user. This flaw occurs in versions 4.452.v2849b_d3945fa_ and earlier, affecting Jenkins configurations that utilize case-sensitive OpenID Connect providers. By submitting a username with a different letter casing, an attacker can potentially gain unauthorized access, including administrative privileges, leading to significant security risks.
Affected Version(s)
Jenkins OpenId Connect Authentication Plugin 4.453.v4d7765c854f4
Jenkins OpenId Connect Authentication Plugin 4.453.v4d7765c854f4
Jenkins OpenId Connect Authentication Plugin 4.438.440.v3f5f201de5dc
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved