CVE-2019-1003009

Опубликовано: 06 фев. 2019

Источник: nvd

CVSS3: 7.4

CVSS2: 5.8

EPSS Низкий

Описание

An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS.

Ссылки

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859
Vendor Advisory
https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*

Версия до 2.10 (включая)

EPSS

Процентиль: 8%

0.0003

Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-295

Связанные уязвимости

GHSA-2h95-4xw9-m68j