CVE-2022-23105 – org.jenkins-ci.plugins:active-directory

Package

Manager: maven
Name: org.jenkins-ci.plugins:active-directory
Vulnerable Version: >=0 <2.25.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00069 pctl0.21527

Details

User passwords transmitted in plain text by Jenkins Active Directory Plugin Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

Metadata

Created: 2022-01-13T00:00:55Z
Modified: 2022-11-29T21:12:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-c8cc-hj57-vm65/GHSA-c8cc-hj57-vm65.json
CWE IDs: ["CWE-319"]
Alternative ID: GHSA-c8cc-hj57-vm65
Finding: F332
Auto approve: 1