{"id":"GHSA-c8cc-hj57-vm65","summary":"User passwords transmitted in plain text by Jenkins Active Directory Plugin","details":"Jenkins Active Directory Plugin 2.25 and earlier does not encrypt the transmission of data between the Jenkins controller and Active Directory servers in most configurations.","aliases":["CVE-2022-23105"],"modified":"2024-02-16T08:10:40.995161Z","published":"2022-01-13T00:00:55Z","database_specific":{"cwe_ids":["CWE-319"],"github_reviewed":true,"nvd_published_at":"2022-01-12T20:15:00Z","severity":"MODERATE","github_reviewed_at":"2022-11-29T21:12:29Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23105"},{"type":"WEB","url":"https://github.com/jenkinsci/active-directory-plugin/commit/07b05f83b167c79590f2efbdad8cb84fc98ed150"},{"type":"PACKAGE","url":"https://github.com/jenkinsci/active-directory-plugin"},{"type":"WEB","url":"https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-1389"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2022/01/12/6"}],"affected":[{"package":{"name":"org.jenkins-ci.plugins:active-directory","ecosystem":"Maven","purl":"pkg:maven/org.jenkins-ci.plugins/active-directory"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.25.1"}]}],"versions":["1.18","1.19","1.20","1.21","1.22","1.23","1.24","1.25","1.26","1.27","1.28","1.29","1.30","1.31","1.32","1.33","1.34","1.35","1.36","1.37","1.38","1.39","1.41","1.42","1.43","1.44","1.45","1.46","1.47","1.48","1.49","2.0","2.1","2.10","2.11","2.12","2.13","2.14","2.15","2.16","2.16.1","2.17","2.18","2.19","2.2","2.20","2.22","2.23","2.23.1","2.24","2.24.1","2.25","2.3","2.4","2.5","2.6","2.7","2.8","2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-c8cc-hj57-vm65/GHSA-c8cc-hj57-vm65.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"}]}