CVE-2025-24399
- Source
- https://cve.org/CVERecord?id=CVE-2025-24399
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24399.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-24399
- Aliases
- Published
- 2025-01-22T17:15:13.853Z
- Modified
- 2026-04-12T14:04:25.069872Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Jenkins OpenId Connect Authentication Plugin 4.452.v2849bd3945fa and earlier, except 4.438.440.v3f5f201de5dc, treats usernames as case-insensitive, allowing attackers on Jenkins instances configured with a case-sensitive OpenID Connect provider to log in as any user by providing a username that differs only in letter case, potentially gaining administrator access to Jenkins.
- References
Affected packages
Git / github.com/jenkinsci/oic-auth-plugin
Affected ranges
- Type
- GIT
- Repo
- https://github.com/jenkinsci/oic-auth-plugin
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "4.438.440.v3f5f201de5dc" }, { "introduced": "4.444.vd4c54f157201" }, { "fixed": "4.453.v4d7765c854f4" } ] }
Affected versions
4.*
4.223.v503b_9a_75a_8a_f
4.224.v62720cfa_026e
4.225.v03326773b_44b_
4.227.v36610663f760
4.228.v0c3e8682ff1f
4.229.vf736b_fec02f4
4.236.v4124503b_a_f88
4.238.v0021f710b_b_f4
4.239.v325750a_96f3b_
4.250.v5a_d993226437
4.257.v5360e8489e8b_
4.269.va_7526f34f306
4.279.vca_c1e2fdd24b_
4.284.v0cc21de03d37
4.290.v6f5e8da_e98b_2
4.297.vcddb_d8a_e4694
4.299.v5ca_eb_6a_f3e6d
4.303.v84089a_708ea_7
4.320.v23537cb_a_b_5c6
4.324.vfd49d010926b_
4.329.v994d3f265d68
4.330.v6fdfc07513e3
4.331.vd925b_f76f3a_c
4.340.ve70636c6590e
4.346.v10401f543622
4.350.v347c3b_8b_9d95
4.354.v321ce67a_1de8
4.355.v3a_fb_fca_b_96d4
4.371.vc7c0c06e8a_f5
4.388.v4f73328eb_d2c
4.409.ve864b_f48b_0f3
4.411.v990b_9d36e74e
4.418.vccc7061f5b_6d
4.421.v5422614eb_e0a_
4.438.v6e62f6782770
4.444.vd4c54f157201
4.452.v2849b_d3945fa_
Other
next
oic-auth-1.*
oic-auth-1.0
oic-auth-1.1
oic-auth-1.2
oic-auth-1.3
oic-auth-1.4
oic-auth-1.5
oic-auth-1.6
oic-auth-1.7
oic-auth-1.8
oic-auth-2.*
oic-auth-2.0
oic-auth-2.1
oic-auth-2.2
oic-auth-2.3
oic-auth-2.4
oic-auth-2.5
oic-auth-2.6
oic-auth-3.*
oic-auth-3.0
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-24399.json"
vanir_signatures_modified
"2026-04-12T14:04:25Z"
vanir_signatures
[
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"function_hash": "71790431978255330690840632366832172916",
"length": 110.0
},
"id": "CVE-2025-24399-11294c80",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java",
"function": "escapeHatchThrowsException"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"function_hash": "92339488683552919304618169202355811251",
"length": 817.0
},
"id": "CVE-2025-24399-25e2650a",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/TestRealm.java",
"function": "TestRealm"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"threshold": 0.9,
"line_hashes": [
"159248819485680531025194786911732097141",
"339006640461263996001964936801635034713",
"22081426634109343006674938703645955805",
"72420844902488574905172378283379477628",
"200645436539131617160813460550745326840",
"255029042819156871292067274587823226312",
"210136858134134117770154592777303541727",
"138299684812145598888425198843408212167",
"220813415252913801677747992238609416653",
"311166172882498453125573946312019731287",
"124724664725159082281821260165382122148",
"241698953473854457028693848754184370832",
"135493171011005191016914937291042276926",
"229287564008375828068096994441832805916",
"273265371621046681966058172853011395004"
]
},
"id": "CVE-2025-24399-29b67e28",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/TestRealm.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"function_hash": "203478221271522253572740313549881183225",
"length": 202.0
},
"id": "CVE-2025-24399-4855a828",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java",
"function": "readresolve"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"threshold": 0.9,
"line_hashes": [
"322461487782937796133791808475135473115",
"105344850659363704372853321460015650660",
"97489288069188998948116358426038463426",
"223479405681745195348368252362806442590",
"302711407631571022385312063737125150220",
"171327288396072686942004704842839645015",
"181756894829738664951636316829369577762",
"337118886049616093044512697716890473178",
"268702562666521644228381551217226993990",
"275134389792844704311379386487872601427",
"257393841318378162632066990951653856861",
"132290698468758116451436166747181291930",
"269164999757640056744981561687653057564",
"230904748141772376488404653587502253417",
"17016662699818905200461257943909823389",
"201842754010417450013020399235022722910",
"331674106621316476420190146626711589136",
"18405806831038452263297717469252489943",
"51129096705258866326271158081060395071",
"162255358518681189662743117731298066644",
"71901280125182888598771527985896636686",
"195071287563146152880450457024189097801",
"88589717751246450769094490700832978307",
"70200046239378138689314141504283369612",
"136393193752885154605165327968839524391",
"280594458184678070939474818295261775887",
"185322036680041267445109789435622795874",
"4018181233112214549315201898986217347",
"300251758529049714451995143990115440126"
]
},
"id": "CVE-2025-24399-54edb00e",
"deprecated": false,
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"function_hash": "162154435502172740736316643599492711444",
"length": 181.0
},
"id": "CVE-2025-24399-5deebc32",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java",
"function": "escapeHatchToFalse"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"function_hash": "247625722925303008465492101288037838688",
"length": 354.0
},
"id": "CVE-2025-24399-5e59fbed",
"deprecated": false,
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java",
"function": "OicSecurityRealm"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"function_hash": "162154435502172740736316643599492711444",
"length": 181.0
},
"id": "CVE-2025-24399-60649da4",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java",
"function": "escapeHatchToFalse"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"threshold": 0.9,
"line_hashes": [
"16542728570776235475771276927279473996",
"63972560285708423195149848050605577513",
"113661293223453984661515758284366817234",
"142533828800454276993943441136818449986",
"245098414483421526031132017631099152103",
"175392909599322583149892923732105357549",
"228766941038956389804995924986779761482",
"115426292500187615300771380489453808675",
"198866052926937045526822944378267828474",
"156995100225828416882347977497507267546",
"40079601793268211092017533577444728754",
"168152826039125229931032170930996819756",
"128957903560954252554176022903360527109",
"88984259554262805910403768292104634382"
]
},
"id": "CVE-2025-24399-658ee635",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"threshold": 0.9,
"line_hashes": [
"322461487782937796133791808475135473115",
"105344850659363704372853321460015650660",
"97489288069188998948116358426038463426",
"223479405681745195348368252362806442590",
"320054043818350945864232224377123200834",
"430688143498372029150787719664049896",
"292650230376679549248084233477048101304",
"125966837863055832968166924150034188007",
"268702562666521644228381551217226993990",
"275134389792844704311379386487872601427",
"257393841318378162632066990951653856861",
"132290698468758116451436166747181291930",
"269164999757640056744981561687653057564",
"230904748141772376488404653587502253417",
"17016662699818905200461257943909823389",
"201842754010417450013020399235022722910",
"331674106621316476420190146626711589136",
"18405806831038452263297717469252489943",
"51129096705258866326271158081060395071",
"162255358518681189662743117731298066644",
"71901280125182888598771527985896636686",
"195071287563146152880450457024189097801",
"88589717751246450769094490700832978307",
"70200046239378138689314141504283369612",
"136393193752885154605165327968839524391",
"280594458184678070939474818295261775887",
"185322036680041267445109789435622795874",
"4018181233112214549315201898986217347",
"300251758529049714451995143990115440126"
]
},
"id": "CVE-2025-24399-6a8dcf5d",
"deprecated": false,
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"threshold": 0.9,
"line_hashes": [
"223748232701679418603221556591987714053",
"38412950971664111232715666380509582444",
"318281444644602704963405661830849850608",
"1650605894927286184407034295920304527",
"83650182607347088240180903903180517991",
"32654117308393925311903141950460171231",
"252137375346536615594722158537303261044"
]
},
"id": "CVE-2025-24399-6fffda52",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"threshold": 0.9,
"line_hashes": [
"223748232701679418603221556591987714053",
"38412950971664111232715666380509582444",
"318281444644602704963405661830849850608",
"1650605894927286184407034295920304527",
"83650182607347088240180903903180517991",
"32654117308393925311903141950460171231",
"252137375346536615594722158537303261044"
]
},
"id": "CVE-2025-24399-702e5217",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"function_hash": "35006382388053461711706714486274596861",
"length": 599.0
},
"id": "CVE-2025-24399-8199113a",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java",
"function": "settingNonCompliantValuesNotAllowedTest"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"threshold": 0.9,
"line_hashes": [
"159248819485680531025194786911732097141",
"162253027441211436730780709344778901729",
"103041315857857432678948998349073291439",
"168887701347957689745894612788463668631",
"200645436539131617160813460550745326840",
"255029042819156871292067274587823226312",
"210136858134134117770154592777303541727",
"138299684812145598888425198843408212167",
"220813415252913801677747992238609416653",
"311166172882498453125573946312019731287",
"124724664725159082281821260165382122148",
"241698953473854457028693848754184370832",
"135493171011005191016914937291042276926",
"229287564008375828068096994441832805916",
"273265371621046681966058172853011395004"
]
},
"id": "CVE-2025-24399-9a90e711",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/TestRealm.java"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"function_hash": "92339488683552919304618169202355811251",
"length": 817.0
},
"id": "CVE-2025-24399-a20882e8",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/TestRealm.java",
"function": "TestRealm"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"function_hash": "35006382388053461711706714486274596861",
"length": 599.0
},
"id": "CVE-2025-24399-b4b01bb9",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/OicSecurityRealmFipsTest.java",
"function": "settingNonCompliantValuesNotAllowedTest"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/4d7765c854f4f5e6e3c26ed950a26042a7527875",
"digest": {
"function_hash": "247625722925303008465492101288037838688",
"length": 354.0
},
"id": "CVE-2025-24399-e5876eb3",
"deprecated": false,
"target": {
"file": "src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java",
"function": "OicSecurityRealm"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"function_hash": "203478221271522253572740313549881183225",
"length": 202.0
},
"id": "CVE-2025-24399-f2866b7b",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java",
"function": "readresolve"
}
},
{
"signature_version": "v1",
"signature_type": "Function",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"function_hash": "71790431978255330690840632366832172916",
"length": 110.0
},
"id": "CVE-2025-24399-f6d0800f",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java",
"function": "escapeHatchThrowsException"
}
},
{
"signature_version": "v1",
"signature_type": "Line",
"source": "https://github.com/jenkinsci/oic-auth-plugin/commit/3f5f201de5dc4013ae242722403a86a95b63aaad",
"digest": {
"threshold": 0.9,
"line_hashes": [
"16542728570776235475771276927279473996",
"63972560285708423195149848050605577513",
"113661293223453984661515758284366817234",
"142533828800454276993943441136818449986",
"245098414483421526031132017631099152103",
"175392909599322583149892923732105357549",
"228766941038956389804995924986779761482",
"115426292500187615300771380489453808675",
"198866052926937045526822944378267828474",
"156995100225828416882347977497507267546",
"40079601793268211092017533577444728754",
"168152826039125229931032170930996819756",
"128957903560954252554176022903360527109",
"88984259554262805910403768292104634382"
]
},
"id": "CVE-2025-24399-fc67b6fe",
"deprecated": false,
"target": {
"file": "src/test/java/org/jenkinsci/plugins/oic/SecurityRealmConfigurationFIPSTest.java"
}
}
]