Improper Certificate Validation

Affecting rg.jenkins-ci.plugins:active-directory artifact, versions [,2.11)

Do your applications use this vulnerable package? Test your applications

Overview

rg.jenkins-ci.plugins:active-directory is a Next Generation Warnings plugin which collects compiler warnings or issues reported by static analysis tools and visualizes the results.

Affected versions of this package are vulnerable to Improper Certificate Validation. An attacker could impersonate the Active Directory server Jenkins connects to for authentication if Jenkins is configured to use StartTLS.

Remediation

Upgrade rg.jenkins-ci.plugins:active-directory to version 2.11 or higher.

References

CVSS Score

7.4
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Credit
Unknown
CVE
CVE-2019-1003009
CWE
CWE-295
Snyk ID
SNYK-JAVA-RGJENKINSCIPLUGINS-173672
Disclosed
28 Jan, 2019
Published
06 Feb, 2019