CVE-2020-2301

Name of the Vulnerable Software and Affected Versions Jenkins Active Directory Plugin versions 2.19 and earlier Jenkins Active Directory Plugin versions prior to 2.20 and 2.16.1

Description The issue allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI mode. The plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. A cache can be configured to remember user lookups and user authentications, which is the source of the problem. In Windows/ADSI mode, the provided password was not used when looking up an applicable cache entry.

Recommendations For Jenkins Active Directory Plugin versions 2.19 and earlier, update to version 2.20 or 2.16.1 to resolve the issue. For Jenkins Active Directory Plugin versions prior to 2.20 and 2.16.1, update to version 2.20 or 2.16.1 to resolve the issue. As a temporary workaround, consider disabling the cache to prevent exploitation. Alternatively, set the Java system property hudson.plugins.active directory.CacheUtil.noCacheAuth to true to no longer cache user authentications.