Jenkins OpenId Connect Authentication Plugin
Moderate fix1 remedy
cpe:2.3:a:jenkins:openid_connect_authentication:*:*:*:*:jenkins:*:*
Moderate fix1 remedy
- <= 4.452.v2849b_d3945fa_
Jenkins OpenId Connect Authentication Plugin Case Sensitivity Vulnerability Allowing Unauthorized Access
Vulnerability
Patched
A vulnerability exists in the Jenkins OpenId Connect Authentication Plugin in versions through 4.452.v2849b_d3945fa_ and earlier, except for 4.438.440.v3f5f201de5dc. The plugin incorrectly handles username case sensitivity, treating usernames as case-insensitive. This flaw allows attackers on Jenkins instances with a case-sensitive OpenID Connect provider to log in as any user by using a username that varies only in case. Exploitation of this vulnerability could lead to unauthorized administrative access on Jenkins.
Impact
Exploitation of this vulnerability could result in unauthorized access to Jenkins with administrative privileges.
Remediation
Users of the OpenId Connect Authentication Plugin should update to version 4.453.v4d7765c854f4. After upgrading, it is important to explicitly configure the plugin settings to enable case sensitivity, as the default behavior remains case-insensitive.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
5.7impact
5.0exploitability
4.9remediation
7.7relevance
0.0threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.