CVE-2025-24399

Name
CVE-2025-24399
Description
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
vendor-advisory https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461

Match rules

CPE URI Source package Min version Max version
jenkins-openid-connect-authentication-plugin >= 4.453.v4d7765c854f4 < *
jenkins-openid-connect-authentication-plugin == 4.438.440.v3f5f201de5dc == 4.438.440.v3f5f201de5dc
cpe:2.3:a:jenkins:openid_connect_authentication:*:*:*:*:*:jenkins:*:* jenkins >= None < 4.438.440.v3f5f201de5dc
cpe:2.3:a:jenkins:openid_connect_authentication:*:*:*:*:*:jenkins:*:* jenkins >= 4.444.vd4c54f157201 < 4.453.v4d7765c854f4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
jenkins edge-community 2.479.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins edge-community 2.479.1-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins edge-community 2.516.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins 3.22-community 2.479.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
jenkins 3.22-community 2.479.1-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable