CVE-2023-32994

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-32994

CWE

https://cwe.mitre.org/data/definitions/295.html

Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Weakness

The product does not validate, or incorrectly validates, a certificate.

Affected Software

Name	Vendor	Start Version	End Version
Saml_single_sign_on	Jenkins	*	2.1.0 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/459.html
https://cwe.mitre.org/data/definitions/475.html

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3001%20(2)

Improper Certificate Validation

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References