CVE-2022-23105 — User passwords transmitted in plain text by Jenkins Active Directory Plugin

Description

Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.

How to fix CVE-2022-23105

To remediate CVE-2022-23105, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins:active-directory—upgrade to 2.25.1 or later

Is CVE-2022-23105 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.25.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23105
PATCHgithub.com/jenkinsci/active-directory-plugin
WEBgithub.com/jenkinsci/active-directory-plugin/commit/07b05f83b167c79590f2efbdad8cb84fc98ed150
WEBwww.jenkins.io/security/advisory/2022-01-12/#SECURITY-1389