CVE Vulnerabilities

CVE-2019-1003009

Improper Certificate Validation

Published: Feb 06, 2019 | Modified: Oct 09, 2019
CVSS 3.x
7.4
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

An improper certificate validation vulnerability exists in Jenkins Active Directory Plugin 2.10 and earlier in src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java, src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java, src/main/java/hudson/plugins/active_directory/ActiveDirectoryUnixAuthenticationProvider.java that allows attackers to impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name Vendor Start Version End Version
Active_directory Jenkins * 2.10

Potential Mitigations

References