Authentication Bypass Affecting org.jenkins-ci.plugins:active-directory package, versions [,2.20)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.24% (65th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Authentication Bypass vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGJENKINSCIPLUGINS-1037281
  • published5 Nov 2020
  • disclosed5 Nov 2020
  • creditVic Chappill, Lee Jones, and Matthew Maylin, Siemens

Introduced: 5 Nov 2020

CVE-2020-2300  (opens in a new tab)
CWE-287  (opens in a new tab)

How to fix?

Upgrade org.jenkins-ci.plugins:active-directory to version 2.20 or higher.

Overview

Affected versions of this package are vulnerable to Authentication Bypass. Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode.The Windows/ADSI mode does not specifically prohibit use of empty passwords in Active Directory Plugin 2.19 and earlier. If the Active Directory server allows the unauthenticated bind operation, this allows attackers to log in to Jenkins as any user by providing an empty password.

CVSS Scores

version 3.1