CVE-2023-32993
MEDIUM4.8EPSS 0.06%Jenkins SAML Single Sign On(SSO) Plugin missing hostname validation
發布日:2023/5/16修改日:2025/1/23
描述
Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections. SAML Single Sign On(SSO) Plugin 2.1.0 performs hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.
受影響套件(1)
- Maven/io.jenkins.plugins:miniorange-saml-spfrom 0, < 2.1.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |