CVE-2023-32991
📋 TL;DR
This CSRF vulnerability in Jenkins SAML SSO Plugin allows attackers to trick authenticated users into making unintended HTTP requests to attacker-controlled URLs or parsing local files as XML. Attackers could potentially read sensitive files or make unauthorized requests. All Jenkins instances using SAML SSO Plugin version 2.0.2 or earlier are affected.
💻 Affected Systems
- Jenkins SAML Single Sign On (SSO) Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive files from Jenkins controller, steal credentials, or make unauthorized requests to internal systems using the Jenkins controller's network position.
Likely Case
Attackers could read configuration files containing secrets, modify Jenkins settings, or make requests to internal services accessible from the Jenkins controller.
If Mitigated
With proper CSRF protections and network segmentation, impact would be limited to reading non-sensitive files or making requests to external systems only.
🎯 Exploit Status
Exploitation requires tricking an authenticated user into visiting a malicious page. The attacker needs to know the Jenkins URL and the user must have appropriate permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.3 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2993
Restart Required: Yes
Instructions:
1. Update Jenkins SAML SSO Plugin to version 2.0.3 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Manage Jenkins > Manage Plugins > Installed tab.
🔧 Temporary Workarounds
Disable SAML SSO Plugin
allTemporarily disable the vulnerable plugin if immediate patching is not possible
Navigate to Manage Jenkins > Manage Plugins > Installed tab, find 'SAML Single Sign On (SSO) Plugin', click 'Disable'
Implement CSRF Protection
allEnable Jenkins' built-in CSRF protection
Navigate to Manage Jenkins > Configure Global Security, enable 'Prevent Cross Site Request Forgery exploits', save configuration
🧯 If You Can't Patch
- Restrict network access to Jenkins controller to trusted IPs only
- Implement web application firewall rules to block suspicious XML parsing requests
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins: Manage Jenkins > Manage Plugins > Installed tab, look for 'SAML Single Sign On (SSO) Plugin' versionCheck Version:
curl -s http://jenkins-url/pluginManager/api/json?depth=1 | grep -o '"shortName":"saml","version":"[^"]*"'Verify Fix Applied:
Verify plugin version is 2.0.3 or higher in Manage Jenkins > Manage Plugins > Installed tab📡 Detection & Monitoring
Log Indicators:
- Unusual XML parsing errors in Jenkins logs
- Unexpected HTTP requests to external domains from Jenkins controller
Network Indicators:
- Outbound HTTP requests from Jenkins to unusual domains
- XML parsing requests to Jenkins SAML endpoints
SIEM Query:
source="jenkins.log" AND ("XML parsing error" OR "saml" AND "csrf")