CVE-2023-32995
📋 TL;DR
This CSRF vulnerability in Jenkins SAML SSO Plugin allows attackers to trick authenticated users into unknowingly sending malicious HTTP POST requests to miniOrange's email API. Attackers can send emails with arbitrary content, potentially enabling phishing or data exfiltration. Affected users are those running Jenkins with the vulnerable SAML SSO Plugin version 2.0.0 or earlier.
💻 Affected Systems
- Jenkins SAML Single Sign On (SSO) Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers send phishing emails from the Jenkins server, leading to credential theft, malware distribution, or unauthorized data disclosure to external recipients.
Likely Case
Attackers abuse the email functionality to send spam or phishing emails, potentially damaging the organization's reputation and enabling social engineering attacks.
If Mitigated
With CSRF protections enabled or the plugin disabled, the vulnerability is neutralized, preventing unauthorized email sending.
🎯 Exploit Status
Exploitation requires an authenticated user to be tricked into visiting a malicious webpage, making it straightforward but dependent on social engineering.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.1 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2994
Restart Required: Yes
Instructions:
1. Update the SAML SSO Plugin to version 2.0.1 or later via the Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.
🔧 Temporary Workarounds
Disable the SAML SSO Plugin
allTemporarily disable the vulnerable plugin to prevent exploitation until patching is possible.
Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed, find 'SAML Single Sign On (SSO) Plugin', and disable it.
Enable CSRF Protection in Jenkins
allEnsure Jenkins' built-in CSRF protection is enabled to mitigate similar vulnerabilities.
Check and enable CSRF protection in Jenkins > Manage Jenkins > Configure Global Security > Prevent Cross Site Request Forgery exploits.
🧯 If You Can't Patch
- Restrict network access to the Jenkins instance, limiting exposure to trusted users only.
- Monitor logs for unusual email-sending activities via the miniOrange API and implement web application firewalls (WAF) to block CSRF attempts.
🔍 How to Verify
Check if Vulnerable:
Check the installed plugin version in Jenkins > Manage Jenkins > Manage Plugins > Installed, look for 'SAML Single Sign On (SSO) Plugin' and verify if version is 2.0.0 or earlier.Check Version:
On Jenkins server, check plugin version via: java -jar jenkins-cli.jar -s http://localhost:8080/ list-plugins | grep 'SAML Single Sign On'Verify Fix Applied:
After updating, confirm the plugin version is 2.0.1 or later in the same plugin management interface.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to endpoints related to miniOrange email API in Jenkins access logs, especially with JSON payloads.
Network Indicators:
- Outbound emails sent from the Jenkins server that do not match expected patterns or originate from unauthorized sources.
SIEM Query:
Example query for Splunk: source="jenkins_access.log" method=POST uri="*miniOrange*" | stats count by src_ip