CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2300
https://notcve.org/view.php?id=CVE-2020-2300
Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server. Jenkins Active Directory Plugin versiones 2.19 y anteriores, no prohíbe el uso de una contraseña vacía en el modo Windows/ADSI, lo que permite a atacantes iniciar sesión en Jenkins como cualquier usuario dependiendo de la configuración del servidor de Active Directory • http://www.openwall.com/lists/oss-security/2020/11/04/6 https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2099 •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2299
https://notcve.org/view.php?id=CVE-2020-2299
Jenkins Active Directory Plugin 2.19 and earlier allows attackers to log in as any user if a magic constant is used as the password. Jenkins Active Directory Plugin versiones 2.19 y anteriores, permiten a atacantes iniciar sesión como cualquier usuario si una constante mágica es usada como la contraseña • http://www.openwall.com/lists/oss-security/2020/11/04/6 https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2117 •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1003009
https://notcve.org/view.php?id=CVE-2019-1003009
An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS. Existe una vulnerabilidad de validación incorrecta de certificados en Jenkins Active Directory Plugin, en versiones 2.10 y anteriores, en src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java y src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java que permite que los atacantes suplanten el servidor Active Directory al que se conecta Jenkins para autenticarse si Jenkins está configurado para emplear StartTLS. • https://jenkins.io/security/advisory/2019-01-28/#SECURITY-859 • CWE-295: Improper Certificate Validation •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-2649
https://notcve.org/view.php?id=CVE-2017-2649
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks. Se ha descubierto que el plugin Active Directory para Jenkins hasta la versión 2.2 inclusive no verificaba los certificados del servidor de Active Directory, lo que permitía ataques Man-in-the-Middle. • http://www.securityfocus.com/bid/96986 https://jenkins.io/security/advisory/2017-03-20 • CWE-295: Improper Certificate Validation •