CloudBees Security Advisory 2012-01-24

Vulnerability in Jenkins Active Directory plugin

This vulnerability allows attackers to gain access as administrative users, when Active Directory is configured to support anonymous LDAP bind operations. This affects the system that satisfies all of the following conditions: (1) it uses the Active Directory plugin up to and including 1.24, (2) Active Directory that it talks to allows anonymous binds (Windows disables anonymous binds by default), and (3) Jenkins runs on OS other than Windows, or 64bit JVM on Windows.

Severity

CloudBees rates this vulnerability as critical, as it allows malicious users to impersonate the administrator of the system, gaining the full access to the system.

Fix

This issue has been fixed in the Active Directory plugin 1.25. We recommend that you update your plugin to this version or later. If you don't see the update in your update center, you can download it manually and upload it to your Jenkins via the "advanced" tab of the update center. In both cases, restart of Jenkins is required for the update to effect.