Cross-Site Request Forgery Vulnerability in Jenkins SAML SSO Plugin
CVE-2023-32991

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Saml Single Sign On(sso) Plugin
Vendor: CVE Published:; 16 May 2023

Summary

A cross-site request forgery (CSRF) vulnerability exists in the Jenkins SAML Single Sign On (SSO) Plugin versions up to 2.0.2. This flaw enables attackers to send crafted HTTP requests to a specified URL, leading to the unauthorized execution of actions on behalf of the user. Additionally, the vulnerability allows the parsing of XML from remote locations or local files on the Jenkins controller, potentially exposing sensitive data and enabling further attacks.

Affected Version(s)

Jenkins SAML Single Sign On(SSO) Plugin 0 <= 2.0.2

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECU...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2023
Vulnerability Reserved
May 16, 2023