CVE-2023-32996: 
Java vulnerability analysis and mitigation

A missing permission check vulnerability (CVE-2023-32996) was identified in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier. The vulnerability was disclosed on May 16, 2023, affecting the miniorange-saml-sp plugin (Jenkins Advisory).

The vulnerability stems from the plugin's failure to perform a permission check in an HTTP endpoint. This security flaw allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content to miniOrange's API for sending emails. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability enables attackers with Overall/Read permission to send unauthorized emails through miniOrange's API using attacker-controlled content. This could potentially be used for phishing attacks or spam distribution through the Jenkins instance (Jenkins Advisory).

The vulnerability has been fixed in SAML Single Sign On(SSO) Plugin version 2.0.1, which removes the affected HTTP endpoint entirely. Users are advised to upgrade to this version or later to address the security issue (Jenkins Advisory).