CVE-2023-32994
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
Jenkins SAML Single Sign On (SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.
Risk Assessment
This could be abused using a man-in-the-middle attack to intercept these connections, posing a serious threat to data security.
Recommendation
It is recommended to update the plugin to the latest version to restore SSL/TLS certificate validation.
Original NVD description (English source)
Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

