PT-2020-15532 · Jenkins · Jenkins Active Directory Plugin+1
Matt Sicker
·
Published
2020-11-04
·
Updated
2023-10-25
·
CVE-2020-2302
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Active Directory Plugin versions 2.19 and earlier
Description
A missing permission check in the Jenkins Active Directory Plugin allows attackers with Overall/Read permission to access the domain health check diagnostic page. This issue is resolved in version 2.20, which requires Overall/Administer permission to access the domain health check diagnostic page.
Recommendations
For Jenkins Active Directory Plugin versions 2.19 and earlier, update to version 2.20 or later to require Overall/Administer permission for accessing the domain health check diagnostic page. As a temporary workaround, consider restricting access to the domain health check diagnostic page to minimize the risk of exploitation.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Active Directory Plugin