Insufficient Verification of Data Authenticity

CVE-2023-32993

Medium

4.8/10

Summary

Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-345 - Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

References

Advisory Timeline

Published May 16, 2023

Insufficient Verification of Data Authenticity

CVE-2023-32993

Summary

CWE-345 - Insufficient Verification of Data Authenticity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS