GHSA-6v6h-rw43-97fh

Опубликовано: 16 мая 2023

Источник: github

Github: Прошло ревью

CVSS3: 4.8

Описание

Jenkins SAML Single Sign On(SSO) Plugin missing hostname validation

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

SAML Single Sign On(SSO) Plugin 2.1.0 performs hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

Ссылки

Пакеты

Наименование

io.jenkins.plugins:miniorange-saml-sp

maven

Затронутые версииВерсия исправления

< 2.1.0

2.1.0

EPSS

Процентиль: 34%

0.0014

Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2023-32993

Дефекты

CWE-345

CWE-346

Связанные уязвимости

CVE-2023-32993

CVSS3: 4.8

nvd

больше 2 лет назад

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

EPSS

Процентиль: 34%

0.0014

Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2023-32993

Дефекты

CWE-345

CWE-346