Login Sign Up

CVE-2020-2299

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

The Jenkins Active Directory Plugin 2.19 and earlier contains an authentication bypass vulnerability where attackers can log in as any user by using a specific magic constant as the password. This affects all Jenkins instances using the vulnerable plugin version with Active Directory authentication enabled. Attackers can gain unauthorized access to Jenkins with any username.

💻 Affected Systems

Products:
  • Jenkins Active Directory Plugin
Versions: 2.19 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using Active Directory authentication via the vulnerable plugin.

📦 What is this software?

Active Directory by Jenkins

View all CVEs affecting Active Directory →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins instance allowing attackers to execute arbitrary code, steal credentials, modify builds, and pivot to internal systems.

🟠

Likely Case

Unauthorized access to Jenkins with privileges of compromised user account, potentially leading to code execution, data theft, or build manipulation.

🟢

If Mitigated

Limited impact if network segmentation, strong authentication controls, and monitoring are in place to detect anomalous login attempts.

🌐 Internet-Facing: HIGH - Internet-facing Jenkins instances are directly exploitable without authentication.
🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only knowledge of the magic constant password value, which has been publicly disclosed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Active Directory Plugin 2.20

Vendor Advisory: https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2117

Restart Required: Yes

Instructions:

1. Update Jenkins to latest version. 2. Navigate to Manage Jenkins > Manage Plugins. 3. Update Active Directory Plugin to version 2.20 or later. 4. Restart Jenkins service.

🔧 Temporary Workarounds

Disable Active Directory Plugin

linux

Temporarily disable the vulnerable plugin until patching is possible

mv $JENKINS_HOME/plugins/active-directory.jpi $JENKINS_HOME/plugins/active-directory.jpi.disabled

Implement Network Controls

all

Restrict access to Jenkins management interface

🧯 If You Can't Patch

  • Implement IP whitelisting for Jenkins access
  • Enable multi-factor authentication for all users

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab, look for Active Directory Plugin version

Check Version:

grep -r 'active-directory' $JENKINS_HOME/plugins/active-directory/META-INF/MANIFEST.MF | grep 'Plugin-Version'

Verify Fix Applied:

Verify Active Directory Plugin version is 2.20 or higher in plugin management interface

📡 Detection & Monitoring

Log Indicators:

  • Failed login attempts with unusual usernames
  • Successful logins from unexpected IP addresses
  • Authentication events with suspicious timing patterns

Network Indicators:

  • Unusual authentication traffic to Jenkins
  • Login attempts from unexpected geographic locations

SIEM Query:

source="jenkins.log" AND ("authentication" OR "login") AND ("success" OR "failed") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2020-2299
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 4, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON