CVE-2023-32996

Vulnerability

Overview

CVE-2023-32996 describes a missing permission check in the Jenkins SAML Single Sign On (SSO) Plugin version 2.0.0 and earlier. The flaw resides in a feature that allows users to send HTTP POST requests with a JSON body to miniOrange's API for sending emails. Because the plugin does not verify that the user has the necessary permissions to perform such an action, an attacker with only Overall/Read permissions can invoke this endpoint.[1][2]

Exploitation

Prerequisites

An attacker must have Overall/Read permission on a Jenkins instance running the affected plugin version. No additional authentication or network position is required beyond that base access. The attacker crafts a POST request with a JSON body containing content of their choosing and sends it to the plugin, which forwards it to miniOrange's email-sending API.[1]

Impact

By abusing this endpoint, an attacker can cause the Jenkins instance to send arbitrary email content through miniOrange's service. The exact impact on recipients or systems depends on the attacker's crafted content, but this could include sending phishing emails, spam, or other malicious messages that appear to originate from a trusted Jenkins server, potentially leading to social engineering or reputation damage.[1][2]

Mitigation

The vulnerability has a CVSS score (as reported by Jenkins) of High. As of May 16, 2023, no fix has been released for this specific issue. Users are advised to apply the principle of least privilege and remove Overall/Read permissions from untrusted users, or monitor for updates from the plugin maintainer.[1]