CVE-2023-37944: 
Java vulnerability analysis and mitigation

A missing permission check vulnerability (CVE-2023-37944) was discovered in Jenkins Datadog Plugin versions 5.4.1 and earlier. The vulnerability was disclosed on July 12, 2023, and affects the HTTP endpoint functionality of the plugin. The issue was fixed in version 5.4.2 (Jenkins Advisory, OSS Security).

The vulnerability stems from the absence of proper permission checks in an HTTP endpoint within the DatadogGlobalConfiguration#doTestConnection method. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-862 (Missing Authorization) (NVD, GitHub Security Lab).

The vulnerability allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, potentially leading to the capture of credentials stored in Jenkins (Jenkins Advisory).

The vulnerability has been fixed in Datadog Plugin version 5.4.2, which now requires Overall/Administer permission to access the affected HTTP endpoint. Users are strongly advised to upgrade to this version to mitigate the security risk (Jenkins Advisory).

The vulnerability was discovered and reported by Alvaro Muñoz (@pwntester) from GitHub Security Lab. The Jenkins project acknowledged the discovery in their security advisory and provided a timely fix (Jenkins Advisory).