9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2299

GHSA ID

GHSA-rf92-3vjr-w628

EPSS Score

0.41538%

CWE

CWE-287

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2299

CVE-2020-2299:
Improper Authentication in Jenkins Active Directory Plugin

Jenkins Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode.

The LDAP-based mode in Active Directory Plugin starting in version 1.44 and prior to versions 2.16.1 and 2.20 shares code between user lookup and user authentication and distinguishes these behaviors through the use if a magic constant used in place of a real password. This allows attackers to log in as any user if the magic constant is used as the password in Active Directory Plugin prior to 2.16.1 and 220.

Active Directory Plugin 2.16.1 and 2.20 no longer uses a magic constant to distinguish between user lookup and user authentication.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2299

GHSA ID

GHSA-rf92-3vjr-w628

EPSS Score

0.41538%

CWE

CWE-287

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:active-directory	maven	>= 2.17, < 2.20	2.20
org.jenkins-ci.plugins:active-directory	maven	>= 1.44, < 2.16.1	2.16.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from using a magic password constant (hex nulls) to differentiate between user lookup (no auth) and authentication. The commit shows:

Removal of NO_AUTHENTICATION magic string from ActiveDirectoryUnixAuthenticationProvider
Introduction of Password interface with proper authentication state handling
Modified cache key generation to include password hashes instead of raw passwords
Added explicit empty password checks These changes indicate the original retrieveUser functions in both authentication providers improperly handled the authentication flow when the magic constant was present in the password field, allowing attackers to authenticate as any user by supplying this special value.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins **tiv* *ir**tory Plu*in impl*m*nts two s*p*r*t* mo**s: Int**r*tion wit* **SI on Win*ows, *n* *n OS **nosti* L**P-**s** mo**. T** L**P-**s** mo** in **tiv* *ir**tory Plu*in st*rtin* in v*rsion *.** *n* prior to v*rsions *.**.* *n* *.** s**r*s

Reasoning

T** vuln*r**ility st*mm** *rom usin* * m**i* p*sswor* *onst*nt (**x nulls) to *i***r*nti*t* **tw**n us*r lookup (no *ut*) *n* *ut**nti**tion. T** *ommit s*ows: *. R*mov*l o* NO_*UT**NTI**TION m**i* strin* *rom **tiv**ir**toryUnix*ut**nti**tionProvi**

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-2299: Improper Authentication in Jenkins Active Directory Plugin

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-2299:
Improper Authentication in Jenkins Active Directory Plugin

Vulnerability Intelligence
Miggo AI