CVE-2023-37943

Опубликовано: 12 июл. 2023

Источник: nvd

CVSS3: 5.9

EPSS Низкий

Описание

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

Ссылки

http://www.openwall.com/lists/oss-security/2023/07/12/2
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/07/12/2
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*

Версия до 2.30 (включая)

EPSS

Процентиль: 8%

0.00029

Низкий

5.9 Medium

CVSS3

Дефекты

CWE-311

Связанные уязвимости

GHSA-g8c3-6fj2-87w7