Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0yd2Y1LTRtZjctdm1oM84AAmgX

CSRF vulnerability in Jenkins Active Directory Plugin

Jenkins Active Directory Plugin 2.19 and earlier does not require POST requests for multiple HTTP endpoints implementing connection and authentication tests, resulting in cross-site request forgery (CSRF) vulnerabilities.

This vulnerability allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.

Active Directory Plugin 2.20 requires POST requests for the affected HTTP endpoints.

Permalink: https://github.com/advisories/GHSA-2wf5-4mf7-vmh3
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yd2Y1LTRtZjctdm1oM84AAmgX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago


CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Percentage: 0.00062
EPSS Percentile: 0.27513

Identifiers: GHSA-2wf5-4mf7-vmh3, CVE-2020-2303
References: Repository: https://github.com/jenkinsci/active-directory-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:active-directory
Affected Version Ranges: < 2.20
Fixed in: 2.20