Severity
4.8MEDIUM
EPSS
0.1%
top 78.01%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 16
Description
Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.2 | Impact: 2.5