CVE-2023-37945

Vulnerability

Overview CVE-2023-37945 is a missing permission check in the Jenkins SAML Single Sign On (SSO) Plugin, versions 2.1.0 through 2.3.0 inclusive. The plugin fails to verify if a user has the required permission before allowing access to an endpoint that returns a string representation of the current security realm. This means any attacker with Overall/Read permission—typically a low-privilege access level—can exploit this flaw [1][3].

Exploitation

Conditions Exploitation does not require any special network position beyond being an authenticated user on a Jenkins instance that has the SAML SSO Plugin installed and enabled. The attacker only needs Overall/Read permission, which is often granted to many users. No additional authentication or privileges are needed beyond that permission level [2][3]. The plugin endpoint does not enforce a permission check, so the security realm's string representation can be downloaded without authorization.

Impact

An attacker can retrieve a string representation of the current security realm. This may expose sensitive configuration details such as the type of security realm, authentication provider settings, or other internal information that could aid in further attacks. The vulnerability does not allow arbitrary code execution or direct data modification, but it could leak information that weakens the overall security posture [1][2].

Mitigation

Jenkins has released SAML Single Sign On (SSO) Plugin version 2.3.1, which adds the missing permission check. Users are advised to upgrade to this version or later. No workaround is available other than removing the plugin or restricting Overall/Read permissions, which may not be practical. This vulnerability was announced in the Jenkins Security Advisory 2023-07-12 [1][2].