CVE-2025-24399

CWE-276Incorrect Default PermissionsCWE-1785 documents5 sources
Severity
8.8HIGH
EPSS
0.4%
top 39.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins Openid Connect Authentication
Timeline
PublishedJan 22

Description

Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDjenkins/openid_connect_authentication4.444.vd4c54f1572014.453.v4d7765c854f4+1
Mavenorg.jenkins-ci.plugins:oic-auth< 4.453.v4d7765c854f4

🔴Vulnerability Details

3
OSV
Improper handling of case sensitivity in Jenkins OpenId Connect Authentication Plugin2025-01-22
GHSA
Improper handling of case sensitivity in Jenkins OpenId Connect Authentication Plugin2025-01-22
CVEList
CVE-2025-24399: Jenkins OpenId Connect Authentication Plugin 42025-01-22

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2025-01-222025-01-22
CVE-2025-24399 (HIGH CVSS 8.8) | Jenkins OpenId Connect Authenticati | cvebase.io