Description
An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS.
Remediation
References
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859
Related Vulnerabilities
CVE-2021-34435 Vulnerability in npm package @theia/mini-browser
CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-spring2
CVE-2020-13444 Vulnerability in maven package com.liferay:com.liferay.dynamic.data.mapping.service
CVE-2013-0239 Vulnerability in maven package org.apache.cxf:cxf-bundle
CVE-2022-36127 Vulnerability in npm package skywalking-backend-js