CVE-2023-3414: 
Java vulnerability analysis and mitigation

A cross-site request forgery (CSRF) vulnerability was discovered in the Jenkins Plug-in for ServiceNow DevOps versions prior to 1.38.1. The vulnerability was identified with CVE-2023-3414 and was disclosed on July 26, 2023. The vulnerability affects the Jenkins ServiceNow DevOps Plugin up to version 1.38.0 (Jenkins Advisory, NVD).

The vulnerability exists in the DevOpsConfiguration#doTestConnection method, which fails to perform proper permission checks and does not require POST requests for form validation. The method reads arbitrary credentials from the credentials storage using hardcoded ACL.System permission and can send them to attacker-controlled servers. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (GitHub Security Lab).

If successfully exploited, this vulnerability could lead to the unwanted exposure of sensitive information, specifically allowing attackers to capture credentials stored in Jenkins. The vulnerability enables attackers to connect to attacker-specified URLs using attacker-specified credentials IDs obtained through another method (Jenkins Advisory).

The vulnerability has been fixed in Jenkins ServiceNow DevOps Plugin version 1.38.1. The updated version requires POST requests and Overall/Administer permission for the affected form validation method. Users are advised to upgrade to version 1.38.1 of the Jenkins plug-in for ServiceNow DevOps. No changes are required on instances of the Now Platform (NVD).

The vulnerability was discovered and reported by Alvaro Muñoz (@pwntester) from the GitHub Security Lab team. The issue was reported to the Jenkins Security Team on April 13, 2023, and was fixed with the release of ServiceNow DevOps Plugin 1.38.1 on July 26, 2023 (GitHub Security Lab).