Lucene search

[email protected]NVD:CVE-2023-37943

HistoryJul 12, 2023 - 4:15 p.m.

CVE-2023-37943

2023-07-1216:15:13

CWE-311

[email protected]

web.nvd.nist.gov

jenkins

active directory

unencrypted connection

network traffic capture

credentials capture

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

50.6%

JSON

Jenkins Active Directory Plugin 2.30 and earlier ignores the “Require TLS” and “StartTls” options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

Affected configurations

Nvd

Node

jenkinsactive_directoryRange≤2.30jenkins

VendorProductVersionCPE
jenkinsactive_directory*cpe:2.3:a:jenkins:active_directory:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	active_directory	*	cpe:2.3:a:jenkins:active_directory::::::jenkins::*

References

www.openwall.com/lists/oss-security/2023/07/12/2

www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

50.6%

JSON

Related for NVD:CVE-2023-37943

veracode1 osv2 prion1 cvelist1 cve1 github1