CVE-2023-32978
Description
A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins LDAP Plugin CSRF allows attackers to connect to an attacker-controlled LDAP server with attacker-specified credentials.
Vulnerability
Overview
CVE-2023-32978 is a cross-site request forgery (CSRF) vulnerability in the Jenkins LDAP Plugin, specifically in versions 673.v034ec70ec2b_b_ and earlier. The plugin fails to require POST requests for a form validation method (doCheckServer), allowing an attacker to trick a Jenkins administrator into making an unintended request. This issue is documented in the Jenkins Security Advisory [1].
Exploitation
Conditions
Exploitation requires that an authenticated Jenkins administrator visits a malicious web page or clicks a crafted link while logged into Jenkins. Since the form validation method does not enforce POST requests, an attacker can craft a GET request that, when executed by the administrator's browser, connects the Jenkins instance to an attacker-specified LDAP server [2]. The attacker can also provide arbitrary credentials for that server, enabling further malicious actions.
Impact
An attacker who successfully exploits this CSRF vulnerability can redirect Jenkins's LDAP authentication to a rogue LDAP server under their control. This could allow the attacker to authenticate as any user configured in the rogue LDAP directory, potentially gaining unauthorized access to Jenkins administrative functions or sensitive build jobs. The impact is limited to the LDAP integration but can lead to broader compromise of the Jenkins environment.
Mitigation
The vulnerability has been fixed in LDAP Plugin version 676.vfa_64cf6b_b_002 by adding the @POST annotation to the doCheckServer method, ensuring it only accepts POST requests [3]. Users are strongly advised to update to this version or later. There are no known workarounds; the only mitigation is to upgrade the plugin.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ldapMaven | < 676.vfa | 676.vfa |
Affected products
3- Range: 676.vfa_64cf6b_b_002
Patches
1fa64cf6bb002[security-3046] add post annotation
2 files changed · +3 −1
src/main/java/jenkins/security/plugins/ldap/LDAPConfiguration.java+2 −0 modified@@ -42,6 +42,7 @@ import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.DataBoundSetter; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.verb.POST; import org.springframework.security.authentication.AnonymousAuthenticationProvider; import org.springframework.security.authentication.AuthenticationManager; import org.springframework.security.authentication.AuthenticationProvider; @@ -402,6 +403,7 @@ public String getDisplayName() { return "ldap"; } + @POST public FormValidation doCheckServer(@QueryParameter String value, @QueryParameter String managerDN, @QueryParameter Secret managerPasswordSecret,@QueryParameter String rootDN) { String server = value; String managerPassword = Secret.toString(managerPasswordSecret);
src/main/resources/jenkins/security/plugins/ldap/LDAPConfiguration/config.jelly+1 −1 modified@@ -1,7 +1,7 @@ <?jelly escape-by-default='true'?> <j:jelly xmlns:j="jelly:core" xmlns:f="/lib/form" xmlns:st="jelly:stapler" xmlns:l="/lib/layout" > <f:entry field="server" title="${%Server}"> - <f:textbox/> + <f:textbox checkMethod="post"/> </f:entry> <f:advanced title="${%Advanced Server Configuration}"> <f:entry field="rootDN" title="${%root DN}">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-c9qp-6556-jwwpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32978ghsaADVISORY
- www.jenkins.io/security/advisory/2023-05-16/ghsavendor-advisoryWEB
- github.com/jenkinsci/ldap-plugin/commit/fa64cf6bb002f1b60a45fcd308d45b5a1047e687ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-05-16Jenkins Security Advisories · May 16, 2023