CVE-2020-2300

EUVD-2022-3251
Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
jenkinsactive_directory
𝑥
≤ 2.19
𝑥
= Vulnerable software versions
References
http://www.openwall.com/lists/oss-security/2020/11/04/6
https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2099
http://www.openwall.com/lists/oss-security/2020/11/04/6
https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2099