Listen to this Post
The vulnerability in the Jenkins SAML Plugin stems from its failure to implement a replay cache mechanism for SAML authentication responses. During a standard SAML SSO login, the Identity Provider sends a digitally signed response containing a unique identifier to the service provider, Jenkins. A properly implemented replay cache records these used identifiers, preventing them from being accepted a second time. This plugin lacked such a cache. Consequently, an attacker who can intercept the SAML communication, for instance via a man-in-the-middle attack, can capture this authentication response. The attacker can then re-submit, or “replay,” this identical SAML message to the Jenkins instance. Since the message is still validly signed by the Identity Provider and the plugin has no memory of previously used IDs, Jenkins will process the request and automatically authenticate the attacker as the user whose session was captured, effectively bypassing authentication.
Platform: Jenkins
Version: < 4.583.585.v22ccc1139f55
Vulnerability : Authentication Bypass
Severity: High
date: 2024-10-29
Prediction: 2024-11-12
What Undercode Say:
`tcpdump -i eth0 -A -s 0 | grep -i “SAMLResponse”`
`echo “Replay cache not found in source.”`
`grep -r “ReplayCache” .`
How Exploit:
Intercept SAML Response.
Re-transmit captured message.
Gain unauthorized user access.
Protection from this CVE
Update plugin to 4.583.585.v22ccc1139f55.
Implement network-level encryption.
Monitor for unusual login patterns.
Impact:
Full account takeover.
Privilege escalation.
Session hijacking.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
