Description
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
Remediation
References
http://www.openwall.com/lists/oss-security/2023/07/12/2
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
Related Vulnerabilities
CVE-2021-27644 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-server
CVE-2022-38639 Vulnerability in npm package markdown-nice
CVE-2020-6423 Vulnerability in maven package org.webjars.npm:electron
CVE-2022-3224 Vulnerability in npm package parse-url
CVE-2010-2245 Vulnerability in maven package org.apache.wink:wink-server