skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
July 17, 2023

GHSL-2023-074: Server-Side Request Forgery (SSRF) in miniorange-saml-sp-plugin - CVE-2023-32991, CVE-2023-32992

Alvaro Munoz

Coordinated Disclosure Timeline


A Server-Side Request Forgery (SSRF) vulnerability was found in the miniorange-saml-sp-plugin. The vulnerability resides in the org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.


SAML Single Sign On (SSO) Jenkins plugin

Tested Version

Jenkins SAML SSO Release 2.0.2


SSRF in org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl (GHSL-2023-074)

The doValidateMetadataUrl method in the file lacks proper validation and sanitization of user input for the metadataUrl parameter, allowing a blind exploitation of a server-side request forgery (SSRF).

Affected source code:

        public FormValidation doValidateMetadataUrl(@QueryParameter String metadataUrl) throws Exception {
            String metadata = sendGetRequest(metadataUrl);
                List<String> metadataUrlValues = configureFromMetadata(metadata);
            }catch (Exception e){
                LOGGER.fine("Invalid metadata Url" + e);
                return FormValidation.error("Invalid metadata Url");
            return FormValidation.okWithMarkup("Valid metadata Url, please hit save button");

In order to exploit the vulnerability, an attacker may send the following crafted request:

GET /jenkins/descriptorByName/org.miniorange.saml.MoSAMLAddIdp/validateMetadataUrl? HTTP/1.1
Host: localhost:8080
Connection: close

This vulnerability was found using CodeQL’s SSRF Java query.


This issue may lead to server-side request forgery.




This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include a reference to GHSL-2023-074 in any communication regarding this issue.