CVE-2023-32993

MEDIUM

Jenkins Saml Single Sign ON < 2.0.2 - Origin Validation Error

Title source: rule

Description

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

References (1)

[Vendor Advisory] https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3001%20(1)

Scores

CVSS v3 4.8

EPSS 0.0006

EPSS Percentile 19.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-345 CWE-346

Status published

Products (2)

io.jenkins.plugins/miniorange-saml-sp 0 - 2.1.0Maven

jenkins/saml_single_sign_on < 2.0.2

Published May 16, 2023

Tracked Since Feb 18, 2026