-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:active-directory | maven | >= 2.17, < 2.20 | 2.20 |
| org.jenkins-ci.plugins:active-directory | maven | < 2.16.1 | 2.16.1 |
Miggo AIRoot Cause AnalysisThe vulnerability stemmed from missing empty password validation in Windows/ADSI mode. The commit diff shows the patched version added explicit checks for empty passwords via StringUtils.isEmpty() and throws BadCredentialsException. The vulnerable version's retrieveUser function lacked these checks, allowing empty password authentication. The Windows-specific implementation in ActiveDirectoryAuthenticationProvider (not the Unix implementation) was specifically called out in the CVE description, and the code changes directly target this component.