CVE-2023-32995

Name of the Vulnerable Software and Affected Versions Jenkins SAML Single Sign On(SSO) Plugin versions 2.0.0 and earlier

Description A cross-site request forgery (CSRF) vulnerability allows attackers to send an HTTP POST request with a JSON body containing attacker-specified content to miniOrange's API for sending emails. The vulnerability is due to the lack of a permission check in an HTTP endpoint, which can be exploited by attackers with Overall/Read permission. Additionally, the HTTP endpoint does not require POST requests, contributing to the CSRF vulnerability.

Recommendations For Jenkins SAML Single Sign On(SSO) Plugin versions 2.0.0 and earlier, update to version 2.0.1 or later, which removes the affected HTTP endpoint. As a temporary workaround, consider restricting access to the vulnerable HTTP endpoint to minimize the risk of exploitation.