CVE-2020-2302
Description
A missing permission check in Jenkins Active Directory Plugin 2.19 and earlier allows attackers with Overall/Read permission to access the domain health check diagnostic page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing permission check in Jenkins Active Directory Plugin 2.19 and earlier lets users with Overall/Read access view the domain health diagnostic page.
Vulnerability
Description
The Jenkins Active Directory Plugin, versions 2.19 and earlier, contains a missing permission check on the domain health check diagnostic page. The ActiveDirectoryStatus management link, introduced in version 2.5, did not require administrative privileges to access. This allowed any authenticated user with Overall/Read permission to view the diagnostic endpoint, which exposes sensitive information about the Active Directory configuration [2].
Attack
Vector and Exploitation
An attacker who has obtained a Jenkins account with at least the Overall/Read permission can access the /ad-health URL to reach this diagnostic page [1]. No additional authentication or special privileges are necessary. The vulnerability exists because the ActiveDirectoryStatus class lacked a required permission check before version 2.20 of the plugin [4].
Impact
By accessing this diagnostic page, an attacker can gather information about the configured Active Directory domain(s), domain controllers, DNS resolution, LDAP catalog details, and connection performance metrics. This information leakage can aid in further attacks against the Active Directory infrastructure or Jenkins instance, potentially allowing the attacker to plan more targeted exploitation [1][3].
Mitigation
The vulnerability is fixed in Active Directory Plugin version 2.20, which now requires the ADMINISTER permission to access the health check diagnostic page [4]. Users should upgrade to version 2.20 or later. This issue was disclosed as part of the Jenkins Security Advisory on November 4, 2020 [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:active-directoryMaven | < 2.20 | 2.20 |
Affected products
2- Jenkins project/Jenkins Active Directory Pluginv5Range: unspecified
Patches
1e6b5f2bf2f44[SECURITY-1999]
1 file changed · +16 −1
src/main/java/hudson/plugins/active_directory/ActiveDirectoryStatus.java+16 −1 modified@@ -24,9 +24,11 @@ * THE SOFTWARE. */ +import edu.umd.cs.findbugs.annotations.NonNull; import edu.umd.cs.findbugs.annotations.SuppressFBWarnings; import hudson.Extension; import hudson.model.ManagementLink; +import hudson.security.Permission; import hudson.security.SecurityRealm; import hudson.util.ListBoxModel; import jenkins.model.Jenkins; @@ -37,6 +39,7 @@ import org.acegisecurity.userdetails.UserDetails; import org.kohsuke.accmod.Restricted; import org.kohsuke.accmod.restrictions.NoExternalUse; +import org.kohsuke.stapler.StaplerProxy; import java.io.IOException; import java.util.Collections; @@ -55,7 +58,7 @@ * @since 2.1 */ @Extension -public class ActiveDirectoryStatus extends ManagementLink { +public class ActiveDirectoryStatus extends ManagementLink implements StaplerProxy { @Override public String getIconFileName() { @@ -72,6 +75,12 @@ public String getUrlName() { return "ad-health"; } + @NonNull + @Override + public Permission getRequiredPermission() { + return Jenkins.ADMINISTER; + } + /** * Get the list of domains configured on the Security Realm * @@ -135,6 +144,12 @@ public ListBoxModel doFillDomainsItems() { return model; } + @Override + public Object getTarget() { + Jenkins.get().checkPermission(getRequiredPermission()); + return this; + } + /** * ServerHealth of a SocketInfo */
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-q6rq-4whr-r879ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2302ghsaADVISORY
- github.com/jenkinsci/active-directory-plugin/commit/e6b5f2bf2f441bd679d35db1bd6f9576b148e3cbghsaWEB
- www.jenkins.io/security/advisory/2020-11-04/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-11-04Jenkins Security Advisories · Nov 4, 2020