Authentication Bypass in Jenkins Active Directory Plugin
CVE-2020-2301

9.8CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Active Directory Plugin
Vendor: CVE Published:; 4 November 2020

Summary

The Jenkins Active Directory Plugin prior to version 2.20 suffers from an authentication bypass flaw, enabling attackers to impersonate any user with any password, as long as the successful authentication of that user is still present in the cache during Windows/ADSI mode usage. This flaw presents significant security implications, allowing unauthorized access to user accounts and potentially compromising sensitive information.

Affected Version(s)

Jenkins Active Directory Plugin <= 2.19

Jenkins Active Directory Plugin 2.16.1

References

https://www.jenkins.io/security/advisory/2020-11-04/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2020
Vulnerability Reserved
Dec 5, 2019