Authentication Flaw in Jenkins Active Directory Plugin by Jenkins
CVE-2020-2300

9.8CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Active Directory Plugin
Vendor: CVE Published:; 4 November 2020

Summary

The Jenkins Active Directory Plugin prior to version 2.19 is susceptible to an authentication bypass due to its failure to enforce restrictions on empty passwords in Windows/ADSI mode. This flaw enables attackers to potentially log in to the Jenkins server impersonating any user, contingent upon the configuration of the connected Active Directory server. Organizations utilizing this plugin should ensure they update to the latest version to mitigate associated risks.

Affected Version(s)

Jenkins Active Directory Plugin <= 2.19

Jenkins Active Directory Plugin 2.16.1

References

https://www.jenkins.io/security/advisory/2020-11-04/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2020/11/04/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2020
Vulnerability Reserved
Dec 5, 2019