{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-57288", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2026-06-24T08:41:44.358Z", "datePublished": "2026-06-24T13:20:08.700Z", "dateUpdated": "2026-06-24T14:14:28.743Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-06-24T13:20:08.700Z"}, "affected": [{"vendor": "Jenkins Project", "product": "Jenkins Active Directory Plugin", "versions": [{"version": "0", "versionType": "maven", "lessThanOrEqual": "2.41.1", "status": "affected"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name."}], "references": [{"name": "Jenkins Security Advisory 2026-06-24", "url": "https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651", "tags": ["vendor-advisory"]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-90", "lang": "en", "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-24T14:13:46.534006Z", "id": "CVE-2026-57288", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T14:14:28.743Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-57288", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-24T14:13:46.534006Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-90", "description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-24T14:14:24.709Z"}}], "cna": {"affected": [{"vendor": "Jenkins Project", "product": "Jenkins Active Directory Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "maven", "lessThanOrEqual": "2.41.1"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3651", "name": "Jenkins Security Advisory 2026-06-24", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Jenkins Active Directory Plugin 2.41.1 and earlier does not escape the user name before building the LDAP search filter in the Windows native (ADSI) authentication path, allowing unauthenticated attackers to inject LDAP wildcard characters to enumerate directory entries and to authenticate as a matching user whose password they know without knowing their exact user name."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2026-06-24T13:20:08.700Z"}}}, "cveMetadata": {"cveId": "CVE-2026-57288", "state": "PUBLISHED", "dateUpdated": "2026-06-24T14:14:28.743Z", "dateReserved": "2026-06-24T08:41:44.358Z", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "datePublished": "2026-06-24T13:20:08.700Z", "assignerShortName": "jenkins"}, "dataVersion": "5.2"}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.41.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Jenkins Active Directory Plugin", "source": "cna", "vendor": "Jenkins Project"}, "product": "jenkins_active_directory_plugin", "vendor": "jenkins_project"}], "created": "2026-06-24T15:15:04.696638+00:00", "title": "LDAP Injection in Jenkins Active Directory Plugin Allows Enumeration and Impersonation", "updated": "2026-06-24T21:30:04.503844+00:00", "vendors": ["jenkins_project", "jenkins_project$PRODUCT$jenkins_active_directory_plugin"]}