CVE-2025-24399
Published: 22 January 2025
Summary
CVE-2025-24399 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Jenkins Openid Connect Authentication. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and IA-13 (Identity Providers and Authorization Servers).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of the flaw in the Jenkins OpenId Connect Authentication Plugin, preventing authentication bypass via case-insensitive username handling.
Establishes and implements requirements for OpenID Connect identity providers to ensure case sensitivity consistency with the authentication plugin, mitigating mismatch vulnerabilities.
Mandates naming conventions and lifecycle reviews for identifiers that enforce case-sensitive uniqueness, reducing risk of case-variant username exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote authentication bypass in the public-facing Jenkins OpenID Connect plugin, allowing case-based impersonation of any valid user account (including admins) to gain full access.
NVD Description
Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in…
more
letter case, potentially gaining administrator access to Jenkins.
Deeper analysisAI
CVE-2025-24399 affects the Jenkins OpenId Connect Authentication Plugin versions 4.452.v2849b_d3945fa_ and earlier, excluding 4.438.440.v3f5f201de5dc. The vulnerability arises because the plugin treats usernames as case-insensitive, despite being configured with a case-sensitive OpenID Connect provider. This discrepancy enables attackers to authenticate as any user by submitting a username that matches the target only in letter case.
Attackers require low privileges (PR:L) on affected Jenkins instances and can exploit remotely (AV:N) with low complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Exploitation yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with a CVSS v3.1 score of 8.8. Attackers can log in as any user, potentially including administrators, to gain full access to the Jenkins instance. It is associated with CWE-276.
The Jenkins security advisory (https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461) states that upgrading to OpenId Connect Authentication Plugin version 4.452.v2849b_d3945fa_6 or later fixes the issue by correctly respecting case sensitivity from the OpenID Connect provider.
Details
- CWE(s)