Impersonation Vulnerability in Jenkins Active Directory Plugin

Impersonation Vulnerability in Jenkins Active Directory Plugin

CVE-2019-1003009 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:N

An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS.

Learn more about our Cis Benchmark Audit For Server Software.