PT-2023-24125 · Jenkins · Jenkins Saml Single Sign On(Sso) Plugin+1

Yaroslav Afenkin

Published

2023-05-16

Updated

2023-05-26

CVE-2023-32993

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins SAML Single Sign On(SSO) Plugin versions 2.0.2 and earlier

Description The issue is related to the lack of hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. This could be abused using a man-in-the-middle attack to intercept these connections.

Recommendations For Jenkins SAML Single Sign On(SSO) Plugin versions 2.0.2 and earlier, update to version 2.1.0 or later, which performs hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

Fix

Insufficient Verification of Data Authenticity

Origin Validation Error

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-345CWE-346

Related Identifiers

CVE-2023-32993

GHSA-6V6H-RW43-97FH

Affected Products

Jenkins

Jenkins Saml Single Sign On(Sso) Plugin

PT-2023-24125 · Jenkins · Jenkins Saml Single Sign On(Sso) Plugin+1

CVE-2023-32993

Weakness Enumeration

Related Identifiers

Affected Products

References · 6