Miggo Logo
Miggo Vulnerability Database
CVE-2023-32994

CVE-2023-32994: Jenkins SAML Single Sign On(SSO) Plugin unconditionally disables SSL/TLS certificate validation

4.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-32994
GHSA ID
GHSA-9m92-qwpc-qm78
EPSS Score
0.32991%
CWE
CWE-295
Published
5/16/2023
Updated
11/5/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:miniorange-saml-spmaven< 2.2.02.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from disabled SSL/TLS validation during metadata retrieval. Key functions would be those configuring HTTP clients (using TrustAllCerts/NoopHostnameVerifier) and executing metadata fetch operations. The first function likely implemented the insecure SSL configuration, while the second used it for metadata retrieval. These are standard patterns in Java HTTP client handling, and the CWE-295 context confirms certificate validation is the core issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins S*ML Sin*l* Si*n On(SSO) Plu*in *.*.* *n* **rli*r un*on*ition*lly *is**l*s SSL/TLS **rti*i**t* v*li**tion *or *onn**tions to miniOr*n** or t** *on*i*ur** I*P to r*tri*v* S*ML m*t***t*. T*is l**k o* v*li**tion *oul* ** **us** usin* * m*n-in-t

Reasoning

T** vuln*r**ility st*ms *rom *is**l** SSL/TLS v*li**tion *urin* m*t***t* r*tri*v*l. K*y *un*tions woul* ** t*os* *on*i*urin* `*TTP` *li*nts (usin* `Trust*ll**rts/Noop*ostn*m*V*ri*i*r`) *n* *x**utin* m*t***t* **t** op*r*tions. T** *irst *un*tion lik*l