CVE-2023-37943
MEDIUMJenkins Active Directory Plugin < 2.30 - Unauthenticated Sensitive Data Exposure via Unencrypted Connection Test
Title source: llmDescription
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/07/12/2
Vendor Advisory vendor-advisory
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
Scores
CVSS v3
5.9
EPSS
0.0038
EPSS Percentile
29.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-311
Status
published
Products (2)
jenkins/active_directory
< 2.30
org.jenkins-ci.plugins/active-directory
0 - 2.30.1Maven
Published
Jul 12, 2023
Tracked Since
Feb 18, 2026