Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-g8c3-6fj2-87w7

GitHub Security Advisory

Jenkins Active Directory Plugin vulnerable to Active Directory credential disclosure

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

Jenkins Active Directory Plugin allows testing a new, unsaved configuration by performing a connection test (the button labeled "Test Domain").

Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted. This allows attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

This only affects the connection test. Connections established during the login process are encrypted if the corresponding TLS option is enabled.

Active Directory Plugin 2.30.1 considers the "Require TLS" and "StartTls" options for connection tests.

Affected Packages

Maven org.jenkins-ci.plugins:active-directory
Affected versions: 0 (fixed in 2.30.1)

Related CVEs

CVE-2023-37943

Key Information

GHSA ID
GHSA-g8c3-6fj2-87w7
Published
July 12, 2023 6:30 PM
Last Modified
July 20, 2023 2:53 PM
CVSS Score
5.0 /10
Primary Ecosystem
Maven
Primary Package
org.jenkins-ci.plugins:active-directory
GitHub Reviewed
✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.