CVE-2023-35142: 
Java vulnerability analysis and mitigation

Jenkins Checkmarx Plugin 2022.4.3 and earlier contains a security vulnerability identified as CVE-2023-35142, which was disclosed on June 14, 2023. The vulnerability affects the SSL/TLS validation functionality for connections to the Checkmarx server, where the plugin disables the validation by default. This security issue impacts all versions of the Checkmarx Plugin up to and including version 2022.4.3 (Jenkins Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The core issue lies in the plugin's default configuration which automatically disables SSL/TLS certificate validation for connections to the Checkmarx server. This misconfiguration is related to CWE-295 (Improper Certificate Validation) (NVD).

Unless explicitly changed by an administrator, the disabled SSL/TLS validation would cause all connections to the Checkmarx server to ignore certificate validation, potentially enabling man-in-the-middle attacks. This could allow attackers to intercept and manipulate communication between Jenkins and the Checkmarx server (Jenkins Advisory).

The vulnerability has been fixed in Checkmarx Plugin version 2023.2.6, which enables SSL/TLS validation by default. Administrators are advised to update to this version or later. For those who cannot update immediately, it is recommended to review their configuration and manually enable SSL/TLS validation for connections to the Checkmarx server (Jenkins Advisory).

The vulnerability was discovered and reported by Daniel Beck from CloudBees Inc., highlighting the ongoing security research efforts within the Jenkins community (Jenkins Advisory).