CVE-2020-2301

CWE-287 — Improper Authentication5 documents5 sources

Severity

9.8CRITICAL

EPSS

0.2%

top 60.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Active Directory Plugin Jenkins Active Directory

Timeline

PublishedNov 4

Latest updateMay 24

Description

Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user with any password while a successful authentication of that user is still in the optional cache when using Windows/ADSI mode.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:active-directory2.17 — 2.20+1

▶CVEListV5jenkins_project/jenkins_active_directory_pluginunspecified — 2.19

▶NVDjenkins/active_directory2.19

🔴Vulnerability Details

OSV

Authentication cache in Active Directory Jenkins Plugin allows logging in with any password↗2022-05-24

▶

GHSA

Authentication cache in Active Directory Jenkins Plugin allows logging in with any password↗2022-05-24

▶

CVEList

CVE-2020-2301: Jenkins Active Directory Plugin 2↗2020-11-04

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-11-04↗2020-11-04

▶