Jenkins Openid Connect Authentication vulnerabilities
7 known vulnerabilities affecting jenkins/openid_connect_authentication.
Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-24399HIGHCVSS 8.8fixed in 4.438.440.v3f5f201de5dc≥ 4.444.vd4c54f157201, < 4.453.v4d7765c854f42025-01-22
CVE-2025-24399 [HIGH] CWE-276 CVE-2025-24399: Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining admini
nvd
CVE-2024-52553HIGHCVSS 8.8fixed in 4.421.v5422614eb_e0a2024-11-13
CVE-2024-52553 [HIGH] CWE-613 CVE-2024-52553: Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate th
Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login.
nvd
CVE-2024-47807HIGHCVSS 8.1fixed in 4.355.v3a_fb_fca_b_96d42024-10-02
CVE-2024-47807 [HIGH] CWE-287 CVE-2024-47807: Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `is
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `iss` (Issuer) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
nvd
CVE-2024-47806HIGHCVSS 8.1fixed in 4.355.v3a_fb_fca_b_96d42024-10-02
CVE-2024-47806 [HIGH] CWE-287 CVE-2024-47806: Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `au
Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the `aud` (Audience) claim of an ID Token, allowing attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins.
nvd
CVE-2023-50771MEDIUMCVSS 6.1≤ 2.62023-12-13
CVE-2023-50771 [MEDIUM] CWE-601 CVE-2023-50771: Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect U
Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.
nvd
CVE-2023-24424HIGHCVSS 8.8fixed in 2.52023-01-26
CVE-2023-24424 [HIGH] CWE-384 CVE-2023-24424: Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous sessio
Jenkins OpenId Connect Authentication Plugin 2.4 and earlier does not invalidate the previous session on login.
nvd
CVE-2019-1003021MEDIUMCVSS 4.3≤ 1.42019-02-06
CVE-2019-1003021 [MEDIUM] CWE-200 CVE-2019-1003021: An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication P
An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.
nvd