The Jenkins LDAP Plugin version 807.v7d7de30930cf and earlier performs deserialization of data received from LDAP referrals without any validation, which is a classic example of the "Deserialization of Untrusted Data" weakness (CWE-502). This flaw could allow an attacker to supply crafted referral data that may be interpreted by the plugin and result in the execution of arbitrary code or other unintended behavior on the Jenkins host. Though the description does not confirm a successful exploit, the potential impact of such a vulnerability is significant, as it could compromise the integrity of the Jenkins instance, provide unauthorized command execution or data exfiltration capabilities to a malicious actor.

Affected are installations of the Jenkins Project that use the Jenkins LDAP Plugin version 807.v7d7de30930cf or earlier. These are commonly used to authenticate users against an LDAP directory. Administrators should verify that their plugin revision is within this range and determine whether the LDAP referral functionality is enabled.

The CVSS score of 6.6 indicates a medium severity assessment, and the EPSS score of < 1% suggests a relatively low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could manipulate LDAP referral responses by controlling a malicious LDAP server or by injecting deceptive referrals into a trusted server, thereby delivering malicious payloads that the Jenkins plugin will deserialize without validation. Successful exploitation would likely provide the attacker remote code execution capabilities on the Jenkins host.