CVE-2025-24399
📋 TL;DR
This vulnerability allows attackers to bypass authentication on Jenkins instances by exploiting case-insensitive username matching. Attackers can log in as any user (including administrators) by providing a username that differs only in letter case from a legitimate user. This affects Jenkins instances using the OpenId Connect Authentication Plugin with case-sensitive OpenID Connect providers.
💻 Affected Systems
- Jenkins OpenId Connect Authentication Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrator access to Jenkins, enabling complete system compromise, data theft, code execution, and lateral movement within the environment.
Likely Case
Attackers gain unauthorized access to Jenkins with elevated privileges, potentially modifying builds, stealing credentials, or deploying malicious code.
If Mitigated
Limited impact if strong network controls, monitoring, and least-privilege access are already implemented.
🎯 Exploit Status
Requires attacker to know valid usernames and have access to Jenkins login page. Exploitation is straightforward once these conditions are met.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.453 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461
Restart Required: No
Instructions:
1. Navigate to Jenkins Manage Jenkins > Plugin Manager. 2. Update OpenId Connect Authentication Plugin to version 4.453 or later. 3. No restart required.
🔧 Temporary Workarounds
Switch to case-insensitive OpenID Connect provider
allConfigure Jenkins to use an OpenID Connect provider that treats usernames as case-insensitive
Disable OpenId Connect Authentication Plugin
allTemporarily disable the plugin until patching is possible
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Jenkins instances
- Enable detailed authentication logging and monitor for suspicious login attempts
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for OpenId Connect Authentication Plugin version. If version is 4.452.v2849b_d3945fa_ or earlier (except 4.438.440.v3f5f201de5dc), the system is vulnerable.Check Version:
Navigate to Manage Jenkins > Plugin Manager and check OpenId Connect Authentication Plugin versionVerify Fix Applied:
Verify plugin version is 4.453 or later in Jenkins plugin manager.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts with case-variant usernames
- Successful logins from unusual IP addresses
- Authentication events showing username case mismatches
Network Indicators:
- Unusual authentication traffic patterns to Jenkins login endpoints
SIEM Query:
source="jenkins.log" AND ("authentication failure" OR "login attempt") AND username MATCHES /[A-Za-z]+/i