Primary

Context

Jenkins LDAP Plugin Unvalidated LDAP Referral Vulnerability Leading to Remote Code Execution

Vulnerability

Patched

A remote code execution vulnerability exists in the Jenkins LDAP Plugin in versions through 807.v7d7de30930cf. The plugin follows LDAP referrals from the configured LDAP server, which can be manipulated to forward to an RMI URL. This behavior allows for the deserialization of attacker-controlled data, potentially leading to remote code execution on the Jenkins controller, provided that certain deserialization 'gadgets' are available on the classpath. Exploitation requires control over the LDAP server or the ability to perform a man-in-the-middle attack.

Impact

Exploitation of this vulnerability allows for remote code execution on the Jenkins controller.

Remediation

Users of the Jenkins LDAP Plugin should update to version 807.809.vd3a_4e5e4ec98, which no longer follows LDAP referrals. For those unable to update, the vulnerability can be mitigated by setting the Java system property 'hudson.plugins.ldap.referral.ignore' to 'true'.

Added: May 28, 2026, 4:48 AM

Updated: May 28, 2026, 4:48 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.0

remediation

0.0

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.0

remediation

0.0

relevance

9.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins LDAP Plugin Unvalidated LDAP Referral Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Jenkins LDAP Plugin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating