CVE-2023-37943

low-risk

Published 2023-07-12

Jenkins Active Directory Plugin 2.30 and earlier ignores the "Require TLS" and "StartTls" options and always performs the connection test to Active directory unencrypted, allowing attackers able to capture network traffic between the Jenkins controller and Active Directory servers to obtain Active Directory credentials.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Active Directory

Affected Vendors

Jenkins

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2023/07/12/2

Vendor Advisory https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059

Mailing List http://www.openwall.com/lists/oss-security/2023/07/12/2

Vendor Advisory https://www.jenkins.io/security/advisory/2023-07-12/#SECURITY-3059

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal