CVE-2023-37943

CWE-3115 documents5 sources
Severity
5.9MEDIUM
EPSS
0.0%
top 89.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Active Directory PluginJenkins Active Directory
Timeline
PublishedJul 12

Description

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

🔴Vulnerability Details

3
GHSA
Jenkins Active Directory Plugin vulnerable to Active Directory credential disclosure2023-07-12
CVEList
CVE-2023-37943: Jenkins Active Directory Plugin 22023-07-12
OSV
Jenkins Active Directory Plugin vulnerable to Active Directory credential disclosure2023-07-12

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2023-07-122023-07-12