CVE-2023-32994

Vulnerability

Overview

The Jenkins SAML Single Sign On (SSO) Plugin, versions 2.1.0 and earlier, contains a critical security flaw where SSL/TLS certificate validation is unconditionally disabled when connecting to miniOrange or the configured Identity Provider (IdP) to retrieve SAML metadata [1][2]. This means that the plugin does not verify the authenticity of the TLS certificate presented by the server, breaking the chain of trust that HTTPS typically provides.

Exploitation

Vectors

An attacker with network access to the communication path between the Jenkins server and the miniOrange/IdP service can perform a man-in-the-middle (MitM) attack [2]. By intercepting the HTTPS connection, the attacker can present a fake certificate, and because validation is disabled, the plugin will accept it. This allows the attacker to read, modify, or inject data into the SAML metadata stream without detection. No special privileges on Jenkins itself are required; the attacker only needs to be positioned to intercept the network traffic.

Impact

Assessment

Successful exploitation enables the attacker to intercept SAML metadata, which may contain sensitive configuration details about the SSO setup, such as endpoints, certificates, or binding information. With this access, an attacker could potentially impersonate the IdP, forge assertions, or redirect authentication flows, leading to unauthorized access to Jenkins resources. The vulnerability compromises the integrity and confidentiality of the SSO metadata exchange.

Mitigation

Status

As of the publication date, the Jenkins Security Advisory [1] does not list a fixed version for the SAML SSO Plugin, indicating that users should consider upgrading when a patch becomes available. Administrators are advised to monitor the plugin's update channel and apply any security release promptly. Until a fix is deployed, using network-level protections (e.g., VPNs, strict firewall rules) for the connection to the IdP may reduce risk.