CVE-2017-2649
Description
It was found that the Active Directory Plugin for Jenkins up to and including version 2.2 did not verify certificates of the Active Directory server, thereby enabling Man-in-the-Middle attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Active Directory Plugin ≤2.2 fails to verify LDAPS certificates, enabling MitM attacks against authentication.
Vulnerability
The Jenkins Active Directory Plugin up to and including version 2.2 did not verify certificates of the Active Directory server when using LDAPS, allowing an attacker to impersonate the server through a Man-in-the-Middle (MitM) attack [1], [2]. This affects all installations where the plugin is configured to connect to Active Directory over LDAPS without proper certificate validation.
Exploitation
An attacker with network access to the communication path between Jenkins and the Active Directory server can perform a Man-in-the-Middle attack by presenting a self-signed or otherwise invalid certificate. No authentication is required, and the attacker does not need special privileges on Jenkins or the Active Directory server [1], [2].
Impact
A successful MitM attack allows the attacker to intercept or modify authentication traffic, potentially capturing credentials or impersonating the Active Directory server. This could lead to unauthorized access to Jenkins and the Active Directory domain. The attacker gains a network-level position that compromises the confidentiality and integrity of the authentication flow [1], [2].
Mitigation
The vulnerability is fixed in Active Directory Plugin version 2.3, released on 2017-03-20 [2]. Users should update to this version or later. No workaround is documented, and the plugin is under active maintenance. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:active-directoryMaven | < 2.3 | 2.3 |
Affected products
2- Range: <= 2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vcgj-j8c5-2h52ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-2649ghsaADVISORY
- www.securityfocus.com/bid/96986ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2017-03-20ghsaWEB
- jenkins.io/security/advisory/2017-03-20/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.