Openid Connect Authentication CVE-2025-24399
HIGHCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.
AnalysisAI
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Default Permissions (CWE-276), which allows attackers to access resources due to overly permissive default settings. Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. Affected products include: Jenkins Openid Connect Authentication.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Set restrictive default permissions, follow principle of least privilege, review defaults during deployment.
More from same product – last 7 days
Arbitrary file disclosure in the Jenkins Email Extension Plugin (email-ext) versions 1933.v45cec755423f and earlier lets
Arbitrary file write in the Jenkins Credentials Binding Plugin (version 720.v3f6decef43ea_ and earlier) lets users who c
Arbitrary file read on the Jenkins controller is possible in the Jenkins 'Pipeline: Groovy Libraries Plugin' (version 79
Unsafe deserialization in Jenkins Active Directory Plugin 2.41 and earlier allows a remote attacker holding administrati
Server-Side Request Forgery in Jenkins Active Directory Plugin 2.41 and earlier enables a highly privileged attacker to
Share
External POC / Exploit Code
Leaving vuln.today