CVE-2017-2649

HIGH

Jenkins Active Directory Plugin <= 2.2 - Improper Certificate Validation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2017-2649. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains the vulnerable source code of the Jenkins Active Directory plugin affected by CVE-2017-2649. It includes the plugin's Java source files but lacks an exploit PoC or technical analysis of the vulnerability itself.

Description

It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.

Exploits (2)

nomisec WRITEUP
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2017-2649-active-directory-plugin-vulnerable

This repository contains the vulnerable source code of the Jenkins Active Directory plugin affected by CVE-2017-2649. It includes the plugin's Java source files but lacks an exploit PoC or technical analysis of the vulnerability itself.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Jenkins Active Directory Plugin
No auth needed
Prerequisites: Access to vulnerable Jenkins instance with Active Directory plugin
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WRITEUP
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2017-2649-active-directory-plugin-vulnerable

This repository contains the vulnerable source code of the Jenkins Active Directory plugin (CVE-2017-2649), which is an authentication bypass vulnerability. The code includes the plugin's implementation files but lacks an actual exploit or proof-of-concept, making it a technical reference for analysis rather than an exploit.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Theoretical
Target: Jenkins Active Directory Plugin (versions prior to fix)
No auth needed
Prerequisites: Access to a vulnerable Jenkins instance with the Active Directory plugin enabled
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/96986
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2017-03-20/

Scores

CVSS v3 8.1
EPSS 0.0005
EPSS Percentile 15.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-295
Status published
Products (2)
jenkins/active_directory < 2.2
org.jenkins-ci.plugins/active-directory 0 - 2.3Maven
Published Jul 27, 2018
Tracked Since Feb 18, 2026