Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12Y2dqLWo4YzUtMmg1Ms4AARcN
Jenkins Active Directory Plugin did not verify certificate of AD server
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
Permalink: https://github.com/advisories/GHSA-vcgj-j8c5-2h52JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12Y2dqLWo4YzUtMmg1Ms4AARcN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 3 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-vcgj-j8c5-2h52, CVE-2017-2649
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-2649
- https://jenkins.io/security/advisory/2017-03-20/
- http://www.securityfocus.com/bid/96986
- https://github.com/advisories/GHSA-vcgj-j8c5-2h52
Affected Packages
maven:org.jenkins-ci.plugins:active-directory
Affected Version Ranges: <= 2.2Fixed in: 2.3