Authentication Bypass in Jenkins Active Directory Plugin by CloudBees
CVE-2020-2299

9.8CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Active Directory Plugin
Vendor: CVE Published:; 4 November 2020

Summary

The Jenkins Active Directory Plugin prior to version 2.20 contains a vulnerability that allows attackers to gain unauthorized access by logging in as any user if they utilize a specific magic constant as a password. This flaw could potentially compromise user accounts, leading to unauthorized actions within Jenkins environments. Organizations using affected versions should prioritize upgrading to mitigate this risk.

Affected Version(s)

Jenkins Active Directory Plugin 1.44

Jenkins Active Directory Plugin <= 2.19

Jenkins Active Directory Plugin 2.16.1

References

https://www.jenkins.io/security/advisory/2020-11-04/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/11/04/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2020
Vulnerability Reserved
Dec 5, 2019