[MAVEN:GHSA-8WCW-CW2F-H4G2] Improper Authentication (empty password) in Jenkins Active Directory Plugin

Severity Critical

Affected Packages 2

Fixed Packages 2

CVEs 1

Jenkins Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

The Windows/ADSI mode does not specifically prohibit use of empty passwords in Active Directory Plugin prior to 2.20 and 2.16.1. If the Active Directory server allows the unauthenticated bind operation, this allows attackers to log in to Jenkins as any user by providing an empty password.

Jenkins Active Directory Plugin 2.20 and 2.16.1 prohibits the use of an empty password to log in.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/active-directory	< 2.16.1
pkg:maven/org.jenkins-ci.plugins/active-directory	>= 2.17, < 2.20

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/active-directory	= 2.16.1
pkg:maven/org.jenkins-ci.plugins/active-directory	= 2.20

ID

MAVEN:GHSA-8WCW-CW2F-H4G2

Severity

critical

URL

https://github.com/advisories/GHSA-8wcw-cw2f-h4g2

Published

2022-05-24T17:33:07
(2 years ago)

Modified

2023-12-20T14:32:31
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-2099

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-2300
			https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2099
			http://www.openwall.com/lists/oss-security/2020/11/04/6
			https://github.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2300.json
			https://github.com/jenkinsci/active-directory-plugin/commit/57e78ea7bb96b4e59405f28959ade2d26821163d
			https://github.com/advisories/GHSA-8wcw-cw2f-h4g2

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/active-directory	org.jenkins-ci.plugins	active-directory	< 2.16.1
Fixed	pkg:maven/org.jenkins-ci.plugins/active-directory	org.jenkins-ci.plugins	active-directory	= 2.16.1
Affected	pkg:maven/org.jenkins-ci.plugins/active-directory	org.jenkins-ci.plugins	active-directory	>= 2.17 < 2.20
Fixed	pkg:maven/org.jenkins-ci.plugins/active-directory	org.jenkins-ci.plugins	active-directory	= 2.20

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date