Unencrypted Connection Issues in Jenkins Active Directory Plugin Affects Security
CVE-2023-37943

5.9MEDIUM

Key Information:

Vendor

Jenkins
Status
Jenkins Active Directory Plugin
Vendor
CVE Published:
12 July 2023

What is CVE-2023-37943?

The Jenkins Active Directory Plugin versions up to 2.30 have a critical security flaw where the 'Require TLS' and 'StartTLS' settings are ignored. This oversight results in the plugin always connecting to Active Directory using unencrypted connections. As a consequence, attackers can intercept network traffic between the Jenkins controller and Active Directory servers, putting sensitive user credentials at significant risk. It is imperative for users of affected versions to promptly apply any available updates to mitigate this exposure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Jenkins Active Directory Plugin 0 <= 2.30

References

https://www.jenkins.io/security/advisory/2023-07-12/#SECU...
vendor-advisory
http://www.openwall.com/lists/oss-security/2023/07/12/2

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.