CVE-2023-32993

Insufficient Verification of Data Authenticity in maven/io.jenkins.plugins/miniorange-saml-sp

Identifiers

GHSA-6v6h-rw43-97fh, CVE-2023-32993

Package Slug

maven/io.jenkins.plugins/miniorange-saml-sp

Vulnerability

Insufficient Verification of Data Authenticity

Description

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Affected Versions

All versions before 2.1.0

Solution

Upgrade to version 2.1.0 or above.

Last Modified

2023-05-26

source