GHSA-g8c3-6fj2-87w7

Suggest an improvement
Source
https://github.com/advisories/GHSA-g8c3-6fj2-87w7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-g8c3-6fj2-87w7/GHSA-g8c3-6fj2-87w7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-g8c3-6fj2-87w7
Aliases
Published
2023-07-12T18:30:38Z
Modified
2024-02-16T08:12:07.792969Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Jenkins Active Directory Plugin vulnerable to Active Directory credential disclosure
Details

Jenkins Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain").

Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled.

Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.

Database specific
{
    "nvd_published_at": "2023-07-12T16:15:13Z",
    "cwe_ids": [
        "CWE-311"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-12T19:49:50Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:active-directory

Package

Name
org.jenkins-ci.plugins:active-directory
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/active-directory

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.30.1

Affected versions

1.*

1.18
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.41
1.42
1.43
1.44
1.45
1.46
1.47
1.48
1.49

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.16.1
2.17
2.18
2.19
2.20
2.22
2.23
2.23.1
2.24
2.24.1
2.25
2.25.1
2.26
2.27
2.28
2.29
2.30