Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/07/12/2 | Mailing List Third Party Advisory |
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 | Vendor Advisory |
http://www.openwall.com/lists/oss-security/2023/07/12/2 | Mailing List Third Party Advisory |
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 | Vendor Advisory |
Configurations
History
21 Nov 2024, 08:12
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2023/07/12/2 - Mailing List, Third Party Advisory | |
References | () https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 - Vendor Advisory |
20 Jul 2023, 01:46
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) http://www.openwall.com/lists/oss-security/2023/07/12/2 - Mailing List, Third Party Advisory | |
References | (MISC) https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 - Vendor Advisory | |
CWE | CWE-311 | |
First Time |
Jenkins
Jenkins active Directory |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
CPE | cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:* |
13 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Jul 2023, 17:58
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-12 16:15
Updated : 2024-11-21 08:12
NVD link : CVE-2023-37943
Mitre link : CVE-2023-37943
CVE.ORG link : CVE-2023-37943
JSON object : View
Products Affected
jenkins
- active_directory
CWE
CWE-311
Missing Encryption of Sensitive Data