Description

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/07/12/2

https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059

Related Vulnerabilities

CVE-2022-22984 Vulnerability in npm package snyk-mvn-plugin

CVE-2020-36282 Vulnerability in maven package com.rabbitmq.jms:rabbitmq-jms

CVE-2020-26296 Vulnerability in npm package vega

CVE-2019-11002 Vulnerability in maven package org.webjars.npm:materialize-css

CVE-2020-1731 Vulnerability in maven package org.keycloak:keycloak-core

Severity

Medium

Classification

CWE-311 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory