Jenkins SAML SSO Plug 2.0.2: Missing Hostname Validation Enables MITM
CVE-2023-32993 Published on May 16, 2023

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-32993 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Origin Validation Error

The software does not properly verify that the source of data or communication is valid.


Products Associated with CVE-2023-32993

Want to know whenever a new CVE is published for Jenkins Saml Single Sign On? stack.watch will email you.

Jenkins Saml Single Sign On
 

Affected Versions

Jenkins Project Jenkins SAML Single Sign On(SSO) Plugin:

Exploit Probability

EPSS
0.14%
Percentile
33.33%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.