CVE-2019-1003009: Jenkins Active Directory Plugin Improper certificate validation with StartTLS
7.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.04706%
CWE
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:active-directory | maven | <= 2.10 | 2.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from improper TLS certificate validation during StartTLS handshakes. Key evidence includes:
- The security advisory explicitly mentions missing certificate validation in StartTLS mode
- Commit changes show TLS configuration was moved from realm-level to domain-level
- Deprecation of the old bind() method that used hardcoded trust-all behavior
- Test cases added to verify TLS configuration migration and validation
- The patch introduces domain-specific TLS handling in multiple authentication pathways
- Configuration UI changes moved TLS settings to the domain configuration level