CloudBees Security Advisory 2011-10-20

Vulnerability in Jenkins Active Directory plugin

This vulnerability allowed malicious users to assume the identity of arbitrary users. This affects the Active directory plugin from 1.17 to 1.19, when you explicitly configure the bind DN parameter in the "advanced" option.


CloudBees rate this vulnerability as critical , as it allows malicious users to impersonate the administrator of the system, gaining the full access to the system.


This issue has been fixed in the AD plugin 1.20. We recommend you update your plugin to 1.20 or later. If you don't see the update in your update center, you can download it manually and upload it to your Jenkins.