Description
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
Remediation
References
http://www.openwall.com/lists/oss-security/2023/07/12/2
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
Related Vulnerabilities
CVE-2021-26296 Vulnerability in maven package org.apache.myfaces.core:myfaces-core-project
CVE-2019-10476 Vulnerability in maven package org.jenkins-ci.plugins:zulip
CVE-2021-21366 Vulnerability in maven package org.webjars.npm:xmldom
CVE-2023-36472 Vulnerability in npm package @strapi/admin
CVE-2021-25329 Vulnerability in maven package org.apache.tomcat:tomcat-catalina