Description
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
Remediation
References
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
http://www.openwall.com/lists/oss-security/2023/07/12/2
Related Vulnerabilities
CVE-2015-3250 Vulnerability in maven package org.apache.directory.api:api-all
CVE-2022-29253 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2021-42340 Vulnerability in maven package org.apache.tomcat:tomcat-websocket
CVE-2018-1062 Vulnerability in maven package org.ovirt.engine.core:vdsbroker
CVE-2016-4987 Vulnerability in maven package com.tupilabs.image_gallery:image-gallery