CVE-2023-32262: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2023-32262) was identified in the Micro Focus Dimensions CM Plugin for Jenkins versions 0.9.3 and earlier. The vulnerability allows attackers with Item/Configure permission to access and capture system-scoped credentials they are not entitled to. This vulnerability was discovered and reported by Alvaro Muñoz from GitHub Security Lab (Jenkins Advisory, GitHub Lab).

The vulnerability stems from the plugin's failure to set appropriate context for credentials lookup, which allows the use of System-scoped credentials that should be reserved for global configuration. The issue specifically arises from a lack of proper input validation/sanitization of the dimensionsscm.serverPlugin parameter in the DimensionsScm#doCheckServerConfig method and the ACL.System access to the credentials storage. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability can lead to the exposure of sensitive secret credentials to unauthorized users. Attackers with Job/Configure permissions can potentially access and capture system-scoped credentials that they should not have access to (GitHub Lab).

The vulnerability has been fixed in Dimensions Plugin version 0.9.3.1, which defines the appropriate context for credentials lookup. Users are advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).