CVE-2020-2300 – org.jenkins-ci.plugins:active-directory

Package

Manager: maven
Name: org.jenkins-ci.plugins:active-directory
Vulnerable Version: >=2.17 <2.20 || >=0 <2.16.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00191 pctl0.41264

Details

Improper Authentication (empty password) in Jenkins Active Directory Plugin Jenkins Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. The Windows/ADSI mode does not specifically prohibit use of empty passwords in Active Directory Plugin prior to 2.20 and 2.16.1. If the Active Directory server allows the unauthenticated bind operation, this allows attackers to log in to Jenkins as any user by providing an empty password. Jenkins Active Directory Plugin 2.20 and 2.16.1 prohibits the use of an empty password to log in.

Metadata

Created: 2022-05-24T17:33:07Z
Modified: 2023-10-27T12:02:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8wcw-cw2f-h4g2/GHSA-8wcw-cw2f-h4g2.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-8wcw-cw2f-h4g2
Finding: F006
Auto approve: 1