Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/07/12/2 | Mailing List Third Party Advisory |
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 | Vendor Advisory |
Configurations
History
20 Jul 2023, 01:46
Type | Values Removed | Values Added |
---|---|---|
First Time |
Jenkins
Jenkins active Directory |
|
References | (MISC) http://www.openwall.com/lists/oss-security/2023/07/12/2 - Mailing List, Third Party Advisory | |
References | (MISC) https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059 - Vendor Advisory | |
CWE | CWE-311 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
CPE | cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:* |
13 Jul 2023, 23:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Jul 2023, 17:58
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-07-12 16:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-37943
Mitre link : CVE-2023-37943
CVE.ORG link : CVE-2023-37943
JSON object : View
Products Affected
jenkins
- active_directory
CWE
CWE-311
Missing Encryption of Sensitive Data