CVE-2023-35142

Vulnerability

Details Checkmarx Plugin 2022.4.3 and earlier disables SSL/TLS certificate validation by default for connections to the Checkmarx server [1]. This means that unless an administrator explicitly enables validation, the plugin will accept any certificate presented by the server, including self-signed or malicious ones.

Exploitation

An attacker with network access to the communication path between the Jenkins instance and the Checkmarx server can perform a man-in-the-middle attack. By presenting a forged certificate, the attacker can intercept and modify traffic without detection. No prior authentication is required for the attacker beyond being positioned on the network.

Impact

Successful exploitation allows the attacker to read sensitive data transmitted during scans (such as code or credentials) and potentially inject malicious responses, compromising the integrity of the security analysis process.

Mitigation

The vulnerability is fixed in Checkmarx Plugin 2023.2.6, which enables SSL/TLS validation by default [1]. Administrators using earlier versions should upgrade immediately or manually enable SSL/TLS validation in the plugin configuration [2].