PT-2020-15529 · Jenkins · Jenkins Active Directory Plugin+1
Lee Jones
+2
·
Published
2020-11-04
·
Updated
2023-10-25
·
CVE-2020-2299
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Active Directory Plugin versions 1.44 through 2.19
Jenkins Active Directory Plugin versions prior to 2.16.1 and 2.20
Description
The issue allows attackers to log in as any user if a magic constant is used as the password. This is due to the shared code between user lookup and user authentication in the LDAP-based mode, where the magic constant is used in place of a real password to distinguish between these behaviors.
Recommendations
For Jenkins Active Directory Plugin versions 1.44 through 2.19, update to version 2.20 or later.
For Jenkins Active Directory Plugin versions prior to 2.16.1, update to version 2.16.1 or later.
As a temporary workaround, consider restricting access to the LDAP-based mode until a patch is available.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Active Directory Plugin