CVE-2023-32994

Jenkins SAML Single Sign On(SSO) Plugin unconditionally disables SSL/TLS certificate validation in maven/io.jenkins.plugins/miniorange-saml-sp

Identifiers

GHSA-9m92-qwpc-qm78, CVE-2023-32994

Package Slug

maven/io.jenkins.plugins/miniorange-saml-sp

Vulnerability

Jenkins SAML Single Sign On(SSO) Plugin unconditionally disables SSL/TLS certificate validation

Description

Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Affected Versions

All versions before 2.2.0

Solution

Upgrade to version 2.2.0 or above.

Last Modified

2023-05-17

source