CVE-2023-32992

The Jenkins SAML Single Sign On (SSO) Plugin version 2.0.2 and earlier contains a missing permission check vulnerability [1]. Specifically, the plugin does not properly verify that a user has the necessary permissions to perform certain operations, allowing users with only Overall/Read permission to trigger unauthorized actions [2].

An attacker with Overall/Read permission can exploit this by sending an HTTP request to an attacker-specified URL and having the plugin parse the response as XML. Alternatively, the attacker can cause the plugin to parse a local file on the Jenkins controller as XML [1][2]. The attack does not require any additional privileges beyond the default read access.

The impact includes potential information disclosure through the parsing of arbitrary files or responses. If the attacker can control the content being parsed, they might be able to perform Server-Side Request Forgery (SSRF) or access sensitive data [2].

Jenkins has released a fix in a subsequent version. Users are advised to update the SAML SSO Plugin to the latest version to mitigate this vulnerability [1].