CVE-2025-24399 – org.jenkins-ci.plugins:oic-auth

Package

Manager: maven
Name: org.jenkins-ci.plugins:oic-auth
Vulnerable Version: >=0 <4.453.v4d7765c854f4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0025 pctl0.48102

Details

Improper handling of case sensitivity in Jenkins OpenId Connect Authentication Plugin The Jenkins OpenId Connect Authentication Plugin 4.452.v2849b_d3945fa_ and earlier treats usernames as case-insensitive. On a Jenkins instance configured with a case-sensitive OpenID Connect provider, this allows attackers to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins. OpenId Connect Authentication Plugin 4.453.v4d7765c854f4 introduces an advanced configuration option to manage username case sensitivity, with default to case-sensitive.

Metadata

Created: 2025-01-22T18:31:55Z
Modified: 2025-03-19T15:19:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-q9cm-88jx-3vfw/GHSA-q9cm-88jx-3vfw.json
CWE IDs: ["CWE-178", "CWE-276"]
Alternative ID: GHSA-q9cm-88jx-3vfw
Finding: F164
Auto approve: 1