CVE-2023-37943

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*

History

20 Jul 2023, 01:46

Type Values Removed Values Added
First Time Jenkins
Jenkins active Directory
References (MISC) http://www.openwall.com/lists/oss-security/2023/07/12/2 - (MISC) http://www.openwall.com/lists/oss-security/2023/07/12/2 - Mailing List, Third Party Advisory
References (MISC) https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 - (MISC) https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 - Vendor Advisory
CWE CWE-311
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.9
CPE cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*

13 Jul 2023, 23:15

Type Values Removed Values Added
References
  • (MISC) http://www.openwall.com/lists/oss-security/2023/07/12/2 -

12 Jul 2023, 17:58

Type Values Removed Values Added
New CVE

Information

Published : 2023-07-12 16:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-37943

Mitre link : CVE-2023-37943

CVE.ORG link : CVE-2023-37943


JSON object : View

Products Affected

jenkins

  • active_directory
CWE
CWE-311

Missing Encryption of Sensitive Data