Main Vulnerability Database Vulnerabilities #VU76251

Man-in-the-Middle (MitM) attack in SAML Single Sign On(SSO) - CVE-2023-32993

Published: May 17, 2023

Vulnerability identifier: #VU76251

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-32993

CWE-ID: CWE-300

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SAML Single Sign On(SSO)

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected plugin does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata. A remote attacker can perform a man-in-the-middle attack to intercept these connections.

Remediation

Install updates from vendor's website.

External links

https://jenkins.io/security/advisory/2023-05-16/

Man-in-the-Middle (MitM) attack in SAML Single Sign On(SSO) - CVE-2023-32993

Description

Remediation

External links

Please verify you're human