CVE-2023-37943

Description

Jenkins Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain"). Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials. This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled. Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.

How to fix CVE-2023-37943

To remediate CVE-2023-37943, upgrade the affected package to a fixed version below.

• —upgrade to 2.30.1 or later

Is CVE-2023-37943 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.30.1

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-37943
• WEBgithub.com/jenkinsci/active-directory-plugin/commit/549dde617dbcf533e6cabfe8cc148a250a398211
• WEBwww.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
• WEBwww.openwall.com/lists/oss-security/2023/07/12/2