A high-severity vulnerability has been identified in the Jenkins SAML Plugin, which could allow an unauthenticated attacker to bypass security controls and gain unauthorized access to the Jenkins server. Successful exploitation could lead to the compromise of sensitive source code, deployment credentials, and the integrity of the software build and deployment pipeline.

The Jenkins SAML Plugin fails to properly validate the cryptographic signature of incoming SAML assertions. An unauthenticated remote attacker can exploit this flaw by crafting a malicious SAML response containing a valid user identifier but an invalid or missing signature. The plugin processes this response as authentic, granting the attacker access to the Jenkins instance with the permissions of the impersonated user.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit would grant an attacker unauthorized access to the Jenkins automation server, a central component of the software development lifecycle. The potential consequences include the theft of intellectual property and source code, compromise of secrets and credentials stored within Jenkins, injection of malicious code into the CI/CD pipeline (supply chain attack), and disruption of critical development and deployment operations. This poses a significant risk to data confidentiality, system integrity, and operational availability.

Immediate Action: Apply the security updates released by Jenkins for the SAML Plugin immediately to patch the vulnerability. Concurrently, system administrators should begin monitoring for signs of exploitation and conduct a thorough review of access logs for any anomalous or unauthorized login activity preceding the patch.

Proactive Monitoring: Monitor Jenkins application and security logs for malformed or unusual SAML authentication requests, specifically those with signature validation errors or unexpected issuer values. Network traffic should be monitored for anomalous connections to the Jenkins web interface. Implement alerts for successful logins from previously unseen IP addresses or geolocations.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Restrict network access to the Jenkins instance, allowing connections only from trusted IP ranges or through a VPN.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block malformed or unsigned SAML assertions.
• Temporarily disable SAML-based authentication in favor of a different, secure authentication method until patching can be completed.

Public Exploit Available: false

This vulnerability presents a clear and present danger to the software supply chain. Due to the high CVSS score and the critical nature of the affected asset, we recommend that organizations prioritize the immediate patching of all affected Jenkins instances. Although this CVE is not yet on the CISA KEV list, its potential for enabling significant unauthorized access warrants an emergency-level response. Organizations should treat this as a critical priority and apply the vendor-supplied patch within their established timeframe for critical vulnerabilities.