ASA-2019-00092 – Jenkins: Improper certificate validation with StartTLS in Active Directory Plugin

Active Directory Plugin performs TLS upgrade (StartTLS) after connecting to domain controllers through insecure LDAP. In this mode, certificates were not properly validated, effectively trusting all certificates, allowing man-in-the-middle attacks. This only affected TLS upgrades. The LDAPS mode, available by setting the system property hudson.plugins.active_directory.ActiveDirectorySecurityRealm.forceLdaps to true, was unaffected.