Jenkins Active Directory Plugin Allows Empty Password Login Vulnerability

Jenkins Active Directory Plugin Allows Empty Password Login Vulnerability

CVE-2020-2300 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Jenkins Active Directory Plugin 2.19 and earlier does not prohibit the use of an empty password in Windows/ADSI mode, which allows attackers to log in to Jenkins as any user depending on the configuration of the Active Directory server.

Learn more about our Cis Benchmark Audit For Server Software.