Jenkins OpenID Connect Provider Plugin
Moderate fix1 remedy
cpe:2.3:a:jenkins:openid_connect_authentication:*:*:*:*:jenkins:*:*
Moderate fix1 remedy
- <= 96.vee8ed882ec4d
Jenkins OpenID Connect Provider Plugin Build ID Token Impersonation Vulnerability
Vulnerability
Patched
A vulnerability exists in the Jenkins OpenID Connect Provider Plugin in versions through 96.vee8ed882ec4d. The issue arises because the plugin's build ID token generation can inadvertently use overridden environment variable values. When combined with certain other plugins that allow such overrides, this could enable attackers to create a build ID token that impersonates a trusted job, potentially leading to unauthorized access to external services.
Impact
Exploitation of this vulnerability could result in unauthorized access to external services by impersonating a trusted Jenkins job.
Remediation
Users of the OpenID Connect Provider Plugin should update to version 111.v29fd614b_3617, which addresses this vulnerability by ensuring that the build ID token generation does not rely on overridden environment variables.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.1impact
2.5exploitability
5.2remediation
7.7relevance
0.0threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.