[org.jenkins-ci.plugins:active-directory] Missing permission check in Jenkins Active Directory Plugin allows accessing domain health check page

Active Directory Plugin 2.19 and earlier does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to access the domain health check diagnostic page.

Active Directory Plugin 2.20 requires Overall/Administer permission to access the domain health check diagnostic page.

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-2302
• https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1999
• https://github.com/advisories/GHSA-q6rq-4whr-r879