PT-2020-15530 · Jenkins · Jenkins Active Directory Plugin+1
Lee Jones
+2
·
Published
2020-11-04
·
Updated
2023-10-25
·
CVE-2020-2300
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Active Directory Plugin versions 2.19 and earlier
Description
The issue allows attackers to log in to Jenkins as any user by providing an empty password, depending on the configuration of the Active Directory server. This is possible because the Windows/ADSI mode does not specifically prohibit the use of empty passwords. If the Active Directory server allows the unauthenticated bind operation, attackers can exploit this to gain unauthorized access.
Recommendations
For Jenkins Active Directory Plugin versions 2.19 and earlier, update to version 2.20 or 2.16.1 to prohibit the use of empty passwords and prevent unauthorized logins.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Active Directory Plugin