#VU103263 Improper Handling of Case Sensitivity in OpenId Connect Authentication - CVE-2025-24399

Cybersecurity Help s.r.o.

Published: 2025-01-23

Vulnerability identifier: #VU103263

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-24399

CWE-ID: CWE-178

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenId Connect Authentication
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper handling of case sensitivity. A remote user can log in as any user by providing a username that differs only in letter case and gain administrator access to Jenkins.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenId Connect Authentication: 4.452.v2849b_d3945fa_

External links
https://www.jenkins.io/security/advisory/2025-01-22/#SECURITY-3461

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Handling of Case Sensitivity in Jenkins OpenId Connect Authentication plugin