[
https://issues.jenkins-ci.org/browse/JENKINS-13159?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kohsuke Kawaguchi resolved JENKINS-13159.
-----------------------------------------
Resolution: Fixed
There's already security advisory issued for the AD plugin
https://groups.google.com/forum/?fromgroups#!topic/jenkinsci-advisories/9XCq0hd0kgo
> Active Directory plugin v1.20 and Jenkins v1.456 allows passwordless
> authentication
> -----------------------------------------------------------------------------------
>
> Key: JENKINS-13159
> URL: https://issues.jenkins-ci.org/browse/JENKINS-13159
> Project: Jenkins
> Issue Type: Bug
> Components: active-directory
> Environment: CentOS 5.1
> X86-64
> Java 1.6.0_26
> Reporter: Youssuf ElKalay
> Priority: Critical
> Labels: active_directory,, authentication, security, windows
> Fix For: current
>
>
> When using v1.20 of the Active Directory plugin and the latest version of
> Jenkins (v1.456 as of submission of this bug report) Jenkins allows for
> password-less authentication.
> I realize that v1.20 is an old version of the plugin but many users
> (including myself) are not upgrading to the latest version due to known bugs
> with group based LDAP/AD authentication.
> We should put a message/disclaimer on the Active Directory wiki page stating
> that users should upgrade to the latest version to avoid this issue.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
