CVE-2025-24399

Name of the Vulnerable Software and Affected Versions Jenkins OpenId Connect Authentication Plugin versions 4.452.v2849b d3945fa and earlier, except version 4.438.440.v3f5f201de5dc

Description The issue allows attackers to log in as any user by providing a username that differs only in letter case on Jenkins instances configured with a case-sensitive OpenID Connect provider, potentially gaining administrator access to Jenkins. This is due to the plugin treating usernames as case-insensitive.

Recommendations For Jenkins OpenId Connect Authentication Plugin versions 4.452.v2849b d3945fa and earlier, except version 4.438.440.v3f5f201de5dc, update to version 4.453.v4d7765c854f4 or later, which introduces an advanced configuration option to manage username case sensitivity with a default to case-sensitive. For versions that cannot be updated to 4.453.v4d7765c854f4 or later, consider configuring the OpenID Connect provider to be case-insensitive or restrict access to minimize the risk of exploitation until a patch is available.