Vulnerability Description
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
CVSS Score
8.1
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Active Directory | <= 2.2 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/96986Third Party AdvisoryVDB Entry
- https://jenkins.io/security/advisory/2017-03-20/Vendor Advisory
- http://www.securityfocus.com/bid/96986Third Party AdvisoryVDB Entry
- https://jenkins.io/security/advisory/2017-03-20/Vendor Advisory
FAQ
What is CVE-2017-2649?
CVE-2017-2649 is a vulnerability with a CVSS score of 8.1 (HIGH). It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
How severe is CVE-2017-2649?
CVE-2017-2649 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-2649?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Active Directory.