CVE-2023-3442 - Missing Authorization in Jenkins ServiceNow DevOps Plug-in Exposes Sensitive Data

In June 2023, a security vulnerability known as CVE-2023-3442 was disclosed in the Jenkins Plug-in for ServiceNow DevOps. This vulnerability, present in versions prior to 1.38.1, allows attackers to access sensitive information without required authorization. In this article, we’ll break down what the vulnerability is, how it can be exploited, and what you need to do to stay protected. We’ll also provide official references and some example code to help you understand the issue.

What is CVE-2023-3442?

CVE-2023-3442 is a “missing authorization” or “authorization bypass” vulnerability in the ServiceNow DevOps plug-in for Jenkins. Plug-ins like this allow Jenkins and ServiceNow to talk to each other, making DevOps automation easier. But in versions of the plug-in prior to 1.38.1, the plug-in failed to properly check if users were authorized before handing over sensitive data.

This means that anyone who could reach the affected endpoints could potentially access sensitive ServiceNow or Jenkins-related information, even if they weren't supposed to.

Jenkins environments exposed to internal or external attackers (including inside your own network).

- ServiceNow tenants themselves are not directly impacted, but leakages can expose ServiceNow data or integration secrets.

Those endpoints process requests—often without making sure the user is allowed to.

3. An attacker can send requests to those URLs and pull out sensitive info (API keys, build secrets, etc.).

Vulnerable Example

Suppose the plug-in exposes an API endpoint at /servicenow-devops/getConfig.

In the vulnerable versions, code might look something like this (simplified for clarity)

// BAD: No auth check!
@WebMethod
public String getConfig() {
    return getSensitiveConfigFile();
}

Anyone who can hit this endpoint can grab the config.

A basic attack would be

curl https://jenkins.example.com/servicenow-devops/getConfig

If this endpoint is unprotected, it may return something like

{
    "servicenowUrl": "https://your-instance.servicenow.com";,
    "apiKey": "super-secret-key-here",
    "devopsSecrets": "even-more-secrets"
}

Dump environment variables, configuration files, or integration keys

If Jenkins is exposed to the Internet, this can be especially severe.

How to Fix It

Upgrade the plug-in to version 1.38.1 or higher as soon as possible. According to ServiceNow and Jenkins, this patch resolves the lack of authorization checks.

Restart Jenkins if prompted.

*No changes are required on your ServiceNow (Now Platform) instances.*

ServiceNow Security Advisory:

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1220034

Jenkins Plug-in Page:

https://plugins.jenkins.io/servicenow-devops/

NVD Description:

https://nvd.nist.gov/vuln/detail/CVE-2023-3442

Conclusion

CVE-2023-3442 is a classic case of “missing authorization” in a widely-used DevOps integration plug-in, and it can leak your most sensitive secrets to anyone who can access your Jenkins server. Patch immediately. Make sure you keep your Jenkins plug-ins up to date, and always pay attention to security advisories from your integration vendors.

Up-to-date plug-ins mean a safer software supply chain for everyone.

Timeline

Published on: 07/26/2023 19:15:00 UTC
Last modified on: 08/03/2023 15:31:00 UTC