CVE-2023-32991

A cross-site request forgery (CSRF) vulnerability exists in Jenkins SAML Single Sign On (SSO) Plugin versions 2.0.2 and earlier. The plugin does not require POST requests or CSRF tokens for certain form validation methods, allowing attackers to trick an authenticated Jenkins administrator into performing unintended actions [1][2].

An attacker can exploit this by crafting a malicious link or form submission that, when clicked by a logged-in admin, sends an HTTP request to an attacker-specified URL and parses the response as XML. Alternatively, the attacker can cause the plugin to parse a local file on the Jenkins controller as XML [1]. No special privileges are required beyond the victim's admin session.

This vulnerability can be leveraged for server-side request forgery (SSRF) attacks against internal networks, or to read arbitrary local files (e.g., configuration files) via XML parsing, potentially exposing sensitive information [2].

Users should upgrade to the latest version of the SAML SSO Plugin as per the Jenkins security advisory [1]. If upgrade is not possible, administrators can disable the plugin or restrict access to Jenkins to trusted users.