Authentication Flaw in Jenkins Active Directory Plugin by Jenkins
CVE-2020-2300

9.8CRITICAL

Key Information:

Vendor

Jenkins
Status
Jenkins Active Directory Plugin
Vendor
CVE Published:
4 November 2020

What is CVE-2020-2300?

The Jenkins Active Directory Plugin prior to version 2.19 is susceptible to an authentication bypass due to its failure to enforce restrictions on empty passwords in Windows/ADSI mode. This flaw enables attackers to potentially log in to the Jenkins server impersonating any user, contingent upon the configuration of the connected Active Directory server. Organizations utilizing this plugin should ensure they update to the latest version to mitigate associated risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Jenkins Active Directory Plugin <= 2.19

Jenkins Active Directory Plugin 2.16.1

References

https://www.jenkins.io/security/advisory/2020-11-04/#SECU...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/11/04/6
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.