Cross-Site Request Forgery (CSRF) in Jenkins Plug-in for ServiceNow DevOps
Description
A cross-site request forgery vulnerability in the Jenkins ServiceNow DevOps plugin prior to 1.38.1 could lead to exposure of sensitive information; update to version 1.38.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A cross-site request forgery vulnerability in the Jenkins ServiceNow DevOps plugin prior to 1.38.1 could lead to exposure of sensitive information; update to version 1.38.1.
Vulnerability
Overview
CVE-2023-3414 is a cross-site request forgery (CSRF) vulnerability in the Jenkins ServiceNow DevOps plugin, affecting versions prior to 1.38.1 [1]. The plugin integrates Jenkins with ServiceNow's DevOps capabilities, allowing job execution control via ServiceNow Change Management [3]. The root cause is that certain plugin endpoints lacked proper CSRF protection, allowing an attacker to trick an authenticated Jenkins user into performing unintended actions.
Exploitation
To exploit this vulnerability, an attacker must convince a Jenkins user with sufficient permissions to visit a malicious webpage or click a crafted link while authenticated to Jenkins. The CSRF attack can then trigger a request to the vulnerable plugin endpoint, potentially exposing sensitive information such as credentials or configuration data [1]. The fix in version 1.38.1 adds the @POST annotation and a permission check (Jenkins.MANAGE) to the doTestConnection method, ensuring that only POST requests with proper authorization are accepted [4].
Impact
Successful exploitation could result in the unwanted exposure of sensitive information, including credentials stored in Jenkins or ServiceNow integration secrets. This could lead to further compromise of the Jenkins environment or connected ServiceNow instances.
Mitigation
Users should upgrade the ServiceNow DevOps plugin to version 1.38.1 or later [2]. No changes are required on the ServiceNow Now Platform side [1]. The plugin is available from the Jenkins update center or GitHub releases.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:servicenow-devopsMaven | < 1.38.1 | 1.38.1 |
Affected products
2- ServiceNow/Jenkins plug-in for ServiceNow DevOpsv5Range: 0
Patches
267192e240997DEF0417750: [Security Bug] Credential leakage through SSRF | Open source
1 file changed · +2 −2
src/main/java/io/jenkins/plugins/config/DevOpsConfiguration.java+2 −2 modified@@ -238,7 +238,7 @@ public FormValidation doTestConnection(@QueryParameter("instanceUrl") String ins List<DomainRequirement> drl = null; ItemGroup itemGroup = null; Authentication authentication = null; - Jenkins.get().checkPermission(Jenkins.MANAGE); + Jenkins.get().checkPermission(Jenkins.ADMINISTER); if (GenericUtils.isEmpty(instanceUrl)) return FormValidation.error("Please provide the url!"); @@ -517,4 +517,4 @@ public String getPolicyValidationURL() { ? String.format("%s/api/now/table/sn_cdm_policy_validation_result", getTrimmedUrl(getInstanceUrl())) : null; } -} \ No newline at end of file +}
d7d2422b0169DEF0417750: [Security Bug] Credential leakage through SSRF | Open source
1 file changed · +3 −1
src/main/java/io/jenkins/plugins/config/DevOpsConfiguration.java+3 −1 modified@@ -24,6 +24,7 @@ import org.kohsuke.accmod.restrictions.NoExternalUse; import org.kohsuke.stapler.QueryParameter; import org.kohsuke.stapler.StaplerRequest; +import org.kohsuke.stapler.verb.POST; import javax.annotation.Nonnull; import javax.servlet.ServletException; @@ -229,14 +230,15 @@ public FormValidation doCheckToolId(@QueryParameter("toolId") String snToolId) } // Skipping validation for Artifact tool Id as it is an optional parameter. + @POST public FormValidation doTestConnection(@QueryParameter("instanceUrl") String instanceUrl, @QueryParameter("apiVersion") String apiVersion, @QueryParameter("toolId") String toolId, @QueryParameter("credentialsId") String credentialsId) throws IOException, ServletException { List<DomainRequirement> drl = null; ItemGroup itemGroup = null; Authentication authentication = null; - + Jenkins.get().checkPermission(Jenkins.MANAGE); if (GenericUtils.isEmpty(instanceUrl)) return FormValidation.error("Please provide the url!");
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-rchx-rvh2-vx5jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-3414ghsaADVISORY
- github.com/jenkinsci/servicenow-devops-plugin/commit/67192e24099787ad732b41d581f20714d4253921ghsaWEB
- github.com/jenkinsci/servicenow-devops-plugin/commit/d7d2422b016995402dd245d9c9c5c2f4cf00c691ghsaWEB
- github.com/jenkinsci/servicenow-devops-plugin/releases/tag/v1.38.1ghsaWEB
- support.servicenow.com/kbghsaWEB
News mentions
1- Jenkins Security Advisory 2023-07-26Jenkins Security Advisories · Jul 26, 2023