CVE-2020-2301

Description

Jenkins Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce lookup time, a cache can be configured to remember user lookups and user authentications. In Active Directory Plugin prior to 2.20 and 2.16.1, when run in Windows/ADSI mode, the provided password was not used when looking up an applicable cache entry. This allows attackers to log in as any user using any password while a successful authentication of that user is still in the cache. As a workaround for this issue, the cache can be disabled. Active Directory Plugin 2.20 and 2.16.1 includes the provided password in cache entry lookup. Additionally, the Java system property `hudson.plugins.active_directory.CacheUtil.noCacheAuth` can be set to `true` to no longer cache user authentications.

How to fix CVE-2020-2301

To remediate CVE-2020-2301, upgrade the affected package to a fixed version below.

• —upgrade to 2.20 or later

Is CVE-2020-2301 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 2.17, < 2.20

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2301
• PATCHgithub.com/jenkinsci/active-directory-plugin
• WEBgithub.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2301.json
• WEBgithub.com/jenkinsci/active-directory-plugin/commit/57e78ea7bb96b4e59405f28959ade2d26821163d