Jenkins Active Directory Plugin Authentication Bypass (CVE-2020-2299/2300)

Critical Vulnerability Information Jenkins Security Advisory 2020-11-04 Affected Plugins: Active Directory Plugin Ansible Plugin AppSpider Plugin AWS Global Configuration Plugin Azure Key Vault Plugin FindBugs Plugin Kubernetes Plugin Mail Commander Plugin for Jenkins-ci Plugin Mercurial Plugin SQLPlus Script Runner Plugin Subversion Plugin VisualWorks Store Plugin VMware Lab Manager Slaves Plugin Vulnerability Description SECURITY-2117 / CVE-2020-2299 - Severity: Critical - Affected Plugin: active-directory - Description: In versions 2.19 and earlier of the Active Directory plugin, the code for LDAP pattern user lookup and authentication shares logic and uses magic constants to distinguish between them. If an attacker replaces the real password with a magic constant, they can log in using the magic constant as a password. SECURITY-2099 / CVE-2020-2300 - Severity: High - Affected Plugin: active-directory - Description: In Windows / ADSI mode, empty passwords are not allowed. However, if the AD server permits unauthenticated bind operations, attackers can exploit this to log in with an empty password. More vulnerability descriptions are listed above. Remediation Recommendations Upgrade the affected plugins to the latest versions. Disable unnecessary features (e.g., disable caching).

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins Active Directory Plugin Authentication Bypass (CVE-2020-2299/2300)