Jenkins OpenID Connect Provider Plugin Incorrectly Validates Crafted Build ID Tokens, CVE-2025-XXXX (Critical)

Listen to this Post

🐢▶️ Listen🚀

The CVE-2025-XXXX vulnerability in Jenkins OpenID Connect Provider Plugin arises from improper validation of build ID tokens during OpenID Connect authentication. The plugin generates these tokens using environment variables that can be overridden by job configurations. Attackers exploiting this flaw can manipulate these variables to craft malicious tokens impersonating trusted jobs. The plugin fails to properly validate the token’s origin, allowing forged tokens to bypass authentication checks. This occurs because the token generation process relies on mutable job parameters rather than immutable system-generated identifiers. When external services trust these tokens for authentication, attackers gain unauthorized access by presenting crafted tokens that appear legitimate. The vulnerability chain involves environment variable injection, token forgery, and broken trust boundaries between Jenkins jobs and external services.
Platform: Jenkins
Version: <111.v29fd614b3617
Vulnerability: Token Validation Bypass
Severity: Critical

date: May 16, 2025

What Undercode Say:

Exploitation Commands:

1. `curl -X POST -H “Jenkins-Crumb:XXX” –data “json={\”parameter\”:[{\”name\”:\”ENV_VAR\”,\”value\”:\”malicious\”}]}” http://jenkins/job/TARGET/build`

2. `python3 -c ‘import jwt; print(jwt.encode({“iss”:”spoofed_job”,”aud”:”external_svc”}, “secret”, algorithm=”HS256″))’`

Detection Script:

import requests
def check_plugin_version(url):
r = requests.get(f"{url}/pluginManager/api/json?depth=1")
return any(p["shortName"] == "oidc-provider" and p["version"] < "111.v29fd614b3617" for p in r.json()["plugins"])

Mitigation Steps:

1. Immediate upgrade to plugin version 111.v29fd614b3617+

1. Audit all job configurations for suspicious environment overrides:

   Jenkins.instance.getAllItems(Job.class).each { job ->
   job.properties.each { prop ->
   if(prop instanceof ParametersDefinitionProperty) {
   prop.parameterDefinitions.each { param ->
   if(param.name.contains("ID_TOKEN") || param.name.contains("OIDC")) {
   println "Suspicious param in ${job.fullName}: ${param.name}"
   }
   }
   }
   }
   }
   

Network Protection:

iptables -A INPUT -p tcp --dport 8080 -m string --string "buildWithParameters" --algo bm -j LOG --log-prefix "JENKINS_PARAM_INJECTION"

Signature Detection:

Sigma rule
detection:
keywords:
- "ID_TOKEN_OVERRIDE"
- "FAKE_OIDC_ISSUER"
condition: keywords

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram