Case Insensitivity Vulnerability in Jenkins OpenId Connect Authentication Plugin
CVE-2025-24399

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Openid Connect Authentication Plugin
Vendor: CVE Published:; 22 January 2025

What is CVE-2025-24399?

The Jenkins OpenId Connect Authentication Plugin misinterprets username case sensitivity, enabling attackers to log in as any user. This flaw occurs in versions 4.452.v2849b_d3945fa_ and earlier, affecting Jenkins configurations that utilize case-sensitive OpenID Connect providers. By submitting a username with a different letter casing, an attacker can potentially gain unauthorized access, including administrative privileges, leading to significant security risks.

Affected Version(s)

Jenkins OpenId Connect Authentication Plugin 4.453.v4d7765c854f4

Jenkins OpenId Connect Authentication Plugin 4.438.440.v3f5f201de5dc

References

https://www.jenkins.io/security/advisory/2025-01-22/#SECU...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2025
Vulnerability Reserved
Jan 21, 2025