Description
Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.
Remediation
References
http://www.openwall.com/lists/oss-security/2023/07/12/2
https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059
Related Vulnerabilities
CVE-2022-43427 Vulnerability in maven package com.compuware.jenkins:compuware-topaz-for-total-test
CVE-2023-22465 Vulnerability in maven package org.http4s:http4s-core_3
CVE-2023-25768 Vulnerability in maven package org.jenkins-ci.plugins:azure-credentials
CVE-2022-43411 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-plugin
CVE-2021-21623 Vulnerability in maven package org.jenkins-ci.plugins:matrix-auth