GHSA-954f-xw44-56r2
GitHub Security Advisory
Authentication cache in Active Directory Jenkins Plugin allows logging in with any password
Advisory Details
Jenkins Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce lookup time, a cache can be configured to remember user lookups and user authentications.
In Active Directory Plugin prior to 2.20 and 2.16.1, when run in Windows/ADSI mode, the provided password was not used when looking up an applicable cache entry. This allows attackers to log in as any user using any password while a successful authentication of that user is still in the cache.
As a workaround for this issue, the cache can be disabled.
Active Directory Plugin 2.20 and 2.16.1 includes the provided password in cache entry lookup.
Additionally, the Java system property `hudson.plugins.active_directory.CacheUtil.noCacheAuth` can be set to `true` to no longer cache user authentications.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.