CVE Catalog

CVE-2023-32994

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

Jenkins SAML Single Sign On (SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.

Risk Assessment

This could be abused using a man-in-the-middle attack to intercept these connections, posing a serious threat to data security.

Recommendation

It is recommended to update the plugin to the latest version to restore SSL/TLS certificate validation.

Original NVD description (English source)

Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS