Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.
References
Link | Resource |
---|---|
https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3001%20(1) | Vendor Advisory |
Configurations
History
26 May 2023, 02:02
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-345 | |
References | (MISC) https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3001%20(1) - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
CPE | cpe:2.3:a:jenkins:saml_single_sign_on:*:*:*:*:*:jenkins:*:* | |
First Time |
Jenkins saml Single Sign On
Jenkins |
16 May 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-16 17:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-32993
Mitre link : CVE-2023-32993
CVE.ORG link : CVE-2023-32993
JSON object : View
Products Affected
jenkins
- saml_single_sign_on
CWE
CWE-345
Insufficient Verification of Data Authenticity