Unencrypted Connection Issues in Jenkins Active Directory Plugin Affects Security
CVE-2023-37943

5.9MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Active Directory Plugin
Vendor: CVE Published:; 12 July 2023

Summary

The Jenkins Active Directory Plugin versions up to 2.30 have a critical security flaw where the 'Require TLS' and 'StartTLS' settings are ignored. This oversight results in the plugin always connecting to Active Directory using unencrypted connections. As a consequence, attackers can intercept network traffic between the Jenkins controller and Active Directory servers, putting sensitive user credentials at significant risk. It is imperative for users of affected versions to promptly apply any available updates to mitigate this exposure.

Affected Version(s)

Jenkins Active Directory Plugin 0 <= 2.30

References

https://www.jenkins.io/security/advisory/2023-07-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/07/12/2

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 12, 2023
Vulnerability Reserved
Jul 11, 2023