Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditionally disables SSL/TLS certificate validation for connections to miniOrange or the configured IdP to retrieve SAML metadata.

This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

SAML Single Sign On(SSO) Plugin 2.2.0 performs SSL/TLS certificate validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata.

Affected Packages

Maven io.jenkins.plugins:miniorange-saml-sp

Affected versions: 0 (fixed in 2.2.0)

Related CVEs

CVE-2023-32994

Key Information

GHSA ID

GHSA-9m92-qwpc-qm78

Published

May 16, 2023 6:30 PM

Last Modified

May 17, 2023 3:32 AM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

io.jenkins.plugins:miniorange-saml-sp

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.