Miggo Logo
Miggo Vulnerability Database
CVE-2023-32993

CVE-2023-32993: Jenkins SAML Single Sign On(SSO) Plugin missing hostname validation

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-32993
GHSA ID
GHSA-6v6h-rw43-97fh
EPSS Score
0.4135%
CWE
CWE-345
Published
5/16/2023
Updated
1/23/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:miniorange-saml-spmaven< 2.1.02.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing hostname validation during HTTPS connections to IdP metadata endpoints. Standard Java SSL patterns show:

  1. Connection-executing functions (retrieveMetadata) would be vulnerable if they don't enforce hostname checks
  2. SSL configuration methods (createSSLContext) would be responsible for security settings While no patch is available, the advisory explicitly calls out hostname validation as the mitigation added in 2.1.0, indicating these core connection-handling functions would be involved.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins S*ML Sin*l* Si*n On(SSO) Plu*in *.*.* *n* **rli*r *o*s not p*r*orm *ostn*m* v*li**tion w**n *onn**tin* to miniOr*n** or t** *on*i*ur** I*P to r*tri*v* S*ML m*t***t*. T*is l**k o* v*li**tion *oul* ** **us** usin* * m*n-in-t**-mi**l* *tt**k to

Reasoning

T** vuln*r**ility st*ms *rom missin* *ostn*m* v*li**tion *urin* *TTPS *onn**tions to I*P m*t***t* *n*points. St*n**r* J*v* SSL p*tt*rns s*ow: *. *onn**tion-*x**utin* *un*tions (r*tri*v*M*t***t*) woul* ** vuln*r**l* i* t**y *on't *n*or** *ostn*m* ****