Jenkins Active Directory Plugin Unvalidated LDAP Referral Deserialization Vulnerability

A deserialization vulnerability has been identified in the Jenkins Active Directory Plugin, versions through 2.41. The plugin improperly handles data from LDAP referrals, allowing for the deserialization of attacker-controlled data. This issue could lead to remote code execution on the Jenkins controller, provided that deserialization 'gadgets' are available on the classpath. The vulnerability arises because the plugin follows LDAP referrals from the configured Active Directory server by default, which can be manipulated to forward to an RMI URL.

Impact

Exploitation of this vulnerability could result in remote code execution on the Jenkins controller.

Remediation

Users can update to Active Directory Plugin version 2.41.1, which no longer follows LDAP referrals by default. Alternatively, administrators unable to update can set the Java system property 'hudson.plugins.active_directory.referral.ignore' to 'true' to mitigate the vulnerability. For those requiring LDAP referrals to be followed, the property can be set to 'false' to restore the previous behavior.