Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.
References
Link | Resource |
---|---|
https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3001%20(2) | Vendor Advisory |
Configurations
History
30 May 2023, 14:30
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-295 | |
CPE | cpe:2.3:a:jenkins:saml_single_sign_on:*:*:*:*:*:jenkins:*:* | |
References | (MISC) https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3001%20(2) - Vendor Advisory | |
First Time |
Jenkins
Jenkins saml Single Sign On |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 3.7 |
Information
Published : 2023-05-16 17:15
Updated : 2024-02-28 20:13
NVD link : CVE-2023-32994
Mitre link : CVE-2023-32994
CVE.ORG link : CVE-2023-32994
JSON object : View
Products Affected
jenkins
- saml_single_sign_on
CWE
CWE-295
Improper Certificate Validation