GitHub Advisory DatabaseGHSA-9M92-QWPC-QM78Jenkins SAML Single Sign On(SSO) Plugin unconditionally disables SSL/TLS certificate validation
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
18.3%
Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.
This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.
SAML Single Sign On(SSO) Plugin 2.2.0 performs SSL/TLS certificate validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| io.jenkins.plugins | miniorange-saml-sp | * | cpe:2.3:a:io.jenkins.plugins:miniorange-saml-sp:*:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
18.3%