SAML SSO Plugin Vulnerability in Jenkins by CloudBees
CVE-2023-32994

3.7LOW

Key Information:

Vendor

Jenkins
Status
Jenkins Saml Single Sign On(sso) Plugin
Vendor
CVE Published:
16 May 2023

What is CVE-2023-32994?

The Jenkins SAML Single Sign On Plugin versions up to 2.1.0 disable SSL/TLS certificate validation for connections to miniOrange or designated Identity Providers. This flaw can be exploited through man-in-the-middle attacks, allowing malicious actors to intercept and manipulate SAML metadata retrieval processes. Organizations using this plugin are advised to review their configurations and apply the necessary security updates to mitigate potential risks.

Affected Version(s)

Jenkins SAML Single Sign On(SSO) Plugin 0 <= 2.1.0

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECU...
vendor-advisory

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.