CVE-2023-32994

Name of the Vulnerable Software and Affected Versions Jenkins SAML Single Sign On(SSO) Plugin versions 2.1.0 and earlier

Description The issue is related to the lack of SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata. This could be exploited using a man-in-the-middle attack to intercept these connections, potentially allowing a remote attacker to disclose protected information.

Recommendations For Jenkins SAML Single Sign On(SSO) Plugin versions 2.1.0 and earlier, update to version 2.2.0 or later, which performs SSL/TLS certificate validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. As a temporary workaround, consider restricting access to the plugin until the update is applied.