PT-2023-24125 · Jenkins · Jenkins Saml Single Sign On(Sso) Plugin+1

Yaroslav Afenkin

·

Publicado

2023-05-16

·

Atualizado

2023-05-26

·

CVE-2023-32993

CVSS v3.1

4.8

Média

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Name of the Vulnerable Software and Affected Versions Jenkins SAML Single Sign On(SSO) Plugin versions 2.0.2 and earlier
Description The issue is related to the lack of hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. This could be abused using a man-in-the-middle attack to intercept these connections.
Recommendations For Jenkins SAML Single Sign On(SSO) Plugin versions 2.0.2 and earlier, update to version 2.1.0 or later, which performs hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

Correção

Insufficient Verification of Data Authenticity

Origin Validation Error

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-345CWE-346

Identificadores relacionados

CVE-2023-32993
GHSA-6V6H-RW43-97FH

Produtos afetados

Jenkins
Jenkins Saml Single Sign On(Sso) Plugin