CVE-2025-24399:The CVE-2025-24399 is a vulnerability in the Jenkins OpenId Connect Authentication Plugin that allows attackers to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.

splash
Back

Description Preview

The Jenkins OpenId Connect Authentication Plugin versions 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc and 4.453.v4d7765c854f4, are affected by a vulnerability that treats usernames as case-insensitive. This allows attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case. This could potentially allow an attacker to gain administrator access to Jenkins. The vulnerability has been classified as "CWE-276 Incorrect Default Permissions" and has a high severity rating with a CVSS v3.1 base score of 8.8.

Overview

The vulnerability lies in the incorrect default permissions of the Jenkins OpenId Connect Authentication Plugin. The plugin treats usernames as case-insensitive, which can be exploited by attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider. By providing a username that differs only in letter case, an attacker can potentially log in as any user, including administrators.

Remediation

Users are advised to update their Jenkins OpenId Connect Authentication Plugin to the latest version to mitigate this vulnerability. It is also recommended to configure Jenkins instances with a case-insensitive OpenID Connect provider to prevent exploitation of this vulnerability.

References

  1. Jenkins Security Advisory 2025-01-22: https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461
  2. CWE-276 Incorrect Default Permissions: https://cwe.mitre.org/data/definitions/276.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Management of Companies & Enterprises
    Management of Companies & Enterprises
  2. Manufacturing
    Manufacturing
  3. Retail Trade
    Retail Trade
  4. Utilities
    Utilities
  5. Accommodation & Food Services
    Accommodation & Food Services
  6. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  7. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  8. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  9. Construction
    Construction
  10. Educational Services
    Educational Services
  11. Finance and Insurance
    Finance and Insurance
  12. Health Care & Social Assistance
    Health Care & Social Assistance
  13. Information
    Information
  14. Mining
    Mining
  15. Other Services (except Public Administration)
    Other Services (except Public Administration)
  16. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  17. Public Administration
    Public Administration
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Transportation & Warehousing
    Transportation & Warehousing
  20. Wholesale Trade
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background