Miggo Logo

CVE-2019-1003009: Jenkins Active Directory Plugin Improper certificate validation with StartTLS

7.4

CVSS Score
3.0

Basic Information

EPSS Score
0.04706%
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:active-directorymaven<= 2.102.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper TLS certificate validation during StartTLS handshakes. Key evidence includes:

  1. The security advisory explicitly mentions missing certificate validation in StartTLS mode
  2. Commit changes show TLS configuration was moved from realm-level to domain-level
  3. Deprecation of the old bind() method that used hardcoded trust-all behavior
  4. Test cases added to verify TLS configuration migration and validation
  5. The patch introduces domain-specific TLS handling in multiple authentication pathways
  6. Configuration UI changes moved TLS settings to the domain configuration level

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n improp*r **rti*i**t* v*li**tion vuln*r**ility *xists in J*nkins **tiv* *ir**tory Plu*in *.** *n* **rli*r in sr*/m*in/j*v*/*u*son/plu*ins/**tiv*_*ir**tory/**tiv**ir**tory*om*in.j*v*, sr*/m*in/j*v*/*u*son/plu*ins/**tiv*_*ir**tory/**tiv**ir**toryS**u

Reasoning

T** vuln*r**ility st*ms *rom improp*r TLS **rti*i**t* v*li**tion *urin* St*rtTLS **n*s**k*s. K*y *vi**n** in*lu**s: *. T** s**urity **visory *xpli*itly m*ntions missin* **rti*i**t* v*li**tion in St*rtTLS mo** *. *ommit ***n**s s*ow TLS *on*i*ur*tion