Lucene search

JenkinsCVELIST:CVE-2023-32996

HistoryMay 16, 2023 - 4:00 p.m.

CVE-2023-32996

2023-05-1616:00:14

jenkins

www.cve.org

jenkins saml sso

permission check

http post

miniorange api

email sending

AI Score

4.8

Confidence

High

EPSS

0.001

Percentile

17.3%

JSON

A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange’s API for sending emails.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Jenkins SAML Single Sign On(SSO) Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "2.0.0",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]

References

www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2994