CVE-2020-2303
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests, connecting to attacker-specified or previously configured Active Directory servers using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF vulnerability in Jenkins Active Directory Plugin 2.19 and earlier allows attackers to perform connection tests to arbitrary AD servers using attacker-specified credentials.
CVE-2020-2303 is a cross-site request forgery (CSRF) vulnerability in the Jenkins Active Directory Plugin versions 2.19 and earlier. The plugin includes a feature for administrators to test connections to Active Directory servers. However, this functionality does not require a CSRF token, enabling an attacker to craft a malicious request that, if executed by an authenticated administrator, triggers a connection test to an attacker-specified Active Directory server using attacker-controlled credentials [2][4].
To exploit this vulnerability, an attacker must trick a Jenkins administrator with appropriate permissions into visiting a malicious webpage or clicking a crafted link. No prior authentication for the attacker is required, as the request is made in the context of the administrator's session. The attacker can specify the target AD server (either a previously configured one or a new one) and provide arbitrary credentials for the connection test [2].
The impact of successful exploitation includes the ability for an attacker to perform connection tests against any Active Directory server reachable from the Jenkins server. This could leak information about AD server availability or network topology, and if the attacker provides credentials, those credentials are sent to the AD server, potentially enabling credential interception or authentication attempts. However, the vulnerability does not directly allow authentication bypass or privilege escalation within Jenkins itself [1][2].
The vulnerability is fixed in Active Directory Plugin version 2.20, which adds CSRF protection to the connection test functionality. Users are advised to update to the latest version immediately. No workarounds are documented, but administrators can restrict access to the Jenkins UI to mitigate exposure [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:active-directoryMaven | < 2.20 | 2.20 |
Affected products
2- Jenkins project/Jenkins Active Directory Pluginv5Range: unspecified
Patches
13558971237b8[SECURITY-2126]
2 files changed · +7 −4
src/main/java/hudson/plugins/active_directory/ActiveDirectoryDomain.java+4 −3 modified@@ -38,6 +38,7 @@ import org.kohsuke.accmod.restrictions.NoExternalUse; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; import javax.naming.CommunicationException; import javax.naming.Context; @@ -273,9 +274,11 @@ public ListBoxModel doFillTlsConfigurationItems() { } return model; } - + + @RequirePOST public FormValidation doValidateTest(@QueryParameter(fixEmpty = true) String name, @QueryParameter(fixEmpty = true) String servers, @QueryParameter(fixEmpty = true) String site, @QueryParameter(fixEmpty = true) String bindName, @QueryParameter(fixEmpty = true) String bindPassword, @QueryParameter(fixEmpty = true) TlsConfiguration tlsConfiguration) throws IOException, ServletException, NamingException { + Jenkins.get().checkPermission(Jenkins.ADMINISTER); ActiveDirectoryDomain domain = new ActiveDirectoryDomain(name, servers, site, bindName, bindPassword, tlsConfiguration); List<ActiveDirectoryDomain> domains = new ArrayList<>(1); domains.add(domain); @@ -286,8 +289,6 @@ public FormValidation doValidateTest(@QueryParameter(fixEmpty = true) String nam ClassLoader ccl = Thread.currentThread().getContextClassLoader(); Thread.currentThread().setContextClassLoader(getClass().getClassLoader()); try { - Functions.checkPermission(Jenkins.ADMINISTER); - // In case we can do native authentication if (activeDirectorySecurityRealm.getDescriptor().canDoNativeAuth() && name==null) { // this check must be identical to that of ActiveDirectory.groovy
src/main/java/hudson/plugins/active_directory/ActiveDirectorySecurityRealm.java+3 −1 modified@@ -51,6 +51,7 @@ import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; import org.kohsuke.stapler.StaplerResponse; +import org.kohsuke.stapler.interceptor.RequirePOST; import org.springframework.dao.DataAccessException; import javax.naming.Context; @@ -385,9 +386,10 @@ public DescriptorImpl getDescriptor() { /** * Authentication test. */ + @RequirePOST public void doAuthTest(StaplerRequest req, StaplerResponse rsp, @QueryParameter String username, @QueryParameter String password) throws IOException, ServletException { // require the administrator permission since this is full of debug info. - Jenkins.getActiveInstance().checkPermission(Jenkins.ADMINISTER); + Jenkins.get().checkPermission(Jenkins.ADMINISTER); StringWriter out = new StringWriter(); PrintWriter pw = new PrintWriter(out);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-2wf5-4mf7-vmh3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2303ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/11/04/6ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/active-directory-plugin/commit/3558971237b80e71e913ead9e82a722e9d5576b8ghsaWEB
- www.jenkins.io/security/advisory/2020-11-04/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-11-04Jenkins Security Advisories · Nov 4, 2020