Missing Permission Checks in Jenkins SAML Single Sign On Plugin by Jenkins
CVE-2023-32992

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Saml Single Sign On(sso) Plugin
Vendor: CVE Published:; 16 May 2023

What is CVE-2023-32992?

The Jenkins SAML Single Sign On Plugin is vulnerable due to missing permission checks, which could allow attackers with Overall/Read permission to exploit this weakness. This enables them to issue HTTP requests to user-specified URLs or parse local files on the Jenkins controller as XML. Such actions can lead to unauthorized access to sensitive data, posing a significant security risk to users.

Affected Version(s)

Jenkins SAML Single Sign On(SSO) Plugin 0 <= 2.0.2

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECU...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2023
Vulnerability Reserved
May 16, 2023