CVE-2023-3442: 
Java vulnerability analysis and mitigation

A missing authorization vulnerability (CVE-2023-3442) was identified in the Jenkins Plug-in for ServiceNow DevOps versions prior to 1.38.1. The vulnerability was discovered and disclosed on July 26, 2023, affecting all versions of the ServiceNow DevOps Plugin up to and including version 1.38.0 (Jenkins Advisory).

The vulnerability stems from a missing permission check in a method implementing form validation. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method. The vulnerability is particularly concerning as it reads arbitrary credentials from the credentials storage using hardcoded ACL.System permission (GitHub Security Lab).

If successfully exploited, this vulnerability could lead to the unwanted exposure of sensitive information and credentials stored in Jenkins. The attacker could capture credentials and send them to an attacker-controlled server, with the credentials being leaked base64-encoded in the Authorization header (GitHub Security Lab).

The vulnerability has been addressed in version 1.38.1 of the Jenkins plug-in for ServiceNow DevOps. The fix requires POST requests and Overall/Administer permission for the affected form validation method. Users are advised to upgrade to version 1.38.1 of the plugin on their Jenkins server. No changes are required on instances of the Now Platform (NVD).