CVE-2023-37943

MEDIUM

Jenkins Active Directory < 2.30 - Missing Encryption

Title source: rule

Description

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

References (2)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2023/07/12/2

[Vendor Advisory] https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059

Scores

CVSS v3 5.9

EPSS 0.0004

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-311

Status published

Products (2)

jenkins/active_directory < 2.30

org.jenkins-ci.plugins/active-directory 0 - 2.30.1Maven

Published Jul 12, 2023

Tracked Since Feb 18, 2026