Miggo Logo
Miggo Vulnerability Database
CVE-2022-23105

CVE-2022-23105:
User passwords transmitted in plain text by Jenkins Active Directory Plugin

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-23105
GHSA ID
GHSA-c8cc-hj57-vm65
EPSS Score
0.21541%
CWE
CWE-319
Published
1/13/2022
Updated
12/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:active-directorymaven< 2.25.12.25.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing TLS enforcement in ADSI/LDAP connections. Key functions were identified by analyzing the patch diff:- The retrieveUser and loadGroupByGroupname functions used insecure ADS_READONLY_SERVER flags instead of TLS-enabled flags for ADSI connections.- The bind method in the security realm descriptor used non-encrypted LDAP by default unless explicitly configured otherwise via system properties.These functions handled authentication/authorization flows without mandatory encryption, matching CWE-319's cleartext transmission pattern. The patch introduced ADSI_FLAGS with TLS requirements and a new requireTLS configuration parameter to address this.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins **tiv* *ir**tory Plu*in *.** *n* **rli*r *o*s not *n*rypt t** tr*nsmission o* **t* **tw**n t** J*nkins *ontroll*r *n* **tiv* *ir**tory s*rv*rs in most *on*i*ur*tions.

Reasoning

T** vuln*r**ility st*ms *rom missin* TLS *n*or**m*nt in **SI/L**P *onn**tions. K*y *un*tions w*r* i**nti*i** *y *n*lyzin* t** p*t** *i**:- T** r*tri*v*Us*r *n* lo***roup*y*roupn*m* *un*tions us** ins**ur* **S_R***ONLY_S*RV*R *l**s inst*** o* TLS-*n**