PT-2023-26191 · Jenkins · Jenkins Active Directory Plugin+1
Published
2023-07-12
·
Updated
2023-07-20
·
CVE-2023-37943
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Active Directory Plugin versions 2.30 and earlier
Description
The issue allows attackers to capture network traffic between the Jenkins controller and Active Directory servers, potentially obtaining Active Directory credentials. This occurs because the connection test to Active Directory is performed unencrypted, ignoring the "Require TLS" and "StartTls" options. The vulnerability only affects the connection test, as connections during the login process are encrypted if the corresponding TLS option is enabled.
Recommendations
For Jenkins Active Directory Plugin versions 2.30 and earlier, update to version 2.30.1 or later to ensure that the "Require TLS" and "StartTls" options are considered for connection tests, thus encrypting the connection and protecting credentials.
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Active Directory Plugin