9.8

CVSS Score

Basic Information

CVE ID

CVE-2020-2301

GHSA ID

GHSA-954f-xw44-56r2

EPSS Score

CWE

CWE-287

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2301

CVE-2020-2301:
Authentication cache in Active Directory Jenkins Plugin allows logging in with any password

Jenkins Active Directory Plugin implements two separate modes: Integration with ADSI on Windows, and an OS agnostic LDAP-based mode. Optionally, to reduce lookup time, a cache can be configured to remember user lookups and user authentications.

In Active Directory Plugin prior to 2.20 and 2.16.1, when run in Windows/ADSI mode, the provided password was not used when looking up an applicable cache entry. This allows attackers to log in as any user using any password while a successful authentication of that user is still in the cache.

As a workaround for this issue, the cache can be disabled.

Active Directory Plugin 2.20 and 2.16.1 includes the provided password in cache entry lookup.

Additionally, the Java system property hudson.plugins.active_directory.CacheUtil.noCacheAuth can be set to true to no longer cache user authentications.

(GitHub Advisory)

9.8

CVSS Score

Basic Information

CVE ID

CVE-2020-2301

GHSA ID

GHSA-954f-xw44-56r2

EPSS Score

CWE

CWE-287

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:active-directory	maven	>= 2.17, < 2.20	2.20
org.jenkins-ci.plugins:active-directory	maven	< 2.16.1	2.16.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper cache key construction in Windows/ADSI mode. The original implementation in ActiveDirectoryAuthenticationProvider.java's retrieveUser method used a username-only cache key (Cache<String, UserDetails>). This allowed cached authentication entries to be reused regardless of the provided password. The commit introduced CacheKey (with username + password hash) and modified the cache to use it, confirming the flaw was in the cache key handling during authentication checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins **tiv* *ir**tory Plu*in impl*m*nts two s*p*r*t* mo**s: Int**r*tion wit* **SI on Win*ows, *n* *n OS **nosti* L**P-**s** mo**. Option*lly, to r**u** lookup tim*, * ***** **n ** *on*i*ur** to r*m*m**r us*r lookups *n* us*r *ut**nti**tions. In *

Reasoning

T** vuln*r**ility st*mm** *rom improp*r ***** k*y *onstru*tion in Win*ows/**SI mo**. T** ori*in*l impl*m*nt*tion in **tiv**ir**tory*ut**nti**tionProvi**r.j*v*'s r*tri*v*Us*r m*t*o* us** * us*rn*m*-only ***** k*y (*****<Strin*, Us*r**t*ils>). T*is *ll

9.8

Basic Information

Concerned about an active attack path?

CVE-2020-2301: Authentication cache in Active Directory Jenkins Plugin allows logging in with any password

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-2301:
Authentication cache in Active Directory Jenkins Plugin allows logging in with any password

Vulnerability Intelligence
Miggo AI