CVE-2025-24399
Published: 22 January 2025
Description
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2025-24399 affects the Jenkins OpenId Connect Authentication Plugin versions 4.452.v2849b_d3945fa_ and earlier, excluding 4.438.440.v3f5f201de5dc. The vulnerability arises because the plugin treats usernames as case-insensitive, despite being configured with a case-sensitive OpenID Connect provider. This discrepancy enables attackers to authenticate as any user by submitting a username that matches the target only in letter case.
Attackers require low privileges (PR:L) on affected Jenkins instances and can exploit remotely (AV:N) with low complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 score of 8.8. Attackers can log in as any user, potentially including administrators, to gain full access to the Jenkins instance. It is associated with CWE-276.
The Jenkins security advisory (https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461) states that upgrading to OpenId Connect Authentication Plugin version 4.452.v2849b_d3945fa_6 or later fixes the issue by correctly respecting case sensitivity from the OpenID Connect provider.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a remote authentication bypass in the public-facing Jenkins OpenID Connect plugin, allowing case-based impersonation of any valid user account (including admins) to gain full access.