CVE-2023-37944

CVE-2023-37944 is a missing permission check vulnerability in the Jenkins Datadog Plugin up to version 5.4.1. The plugin fails to verify that a user has the necessary permissions to perform an action that connects to an external URL using specified credential IDs, allowing unauthorized credential exposure [1][3].

An attacker with the low-privilege Overall/Read permission can exploit this by providing an attacker-specified URL and credential IDs obtained through another method (e.g., a separate vulnerability or configuration disclosure). The plugin then connects to the attacker-controlled URL using those credentials, effectively capturing the stored Jenkins credentials [1][3].

The impact is the exposure of sensitive credentials stored in Jenkins, which could be used to gain further access to the Jenkins environment or integrated systems. The attack requires the attacker to first obtain credential IDs, but the missing permission check significantly lowers the barrier to credential theft [1][3].

Jenkins has addressed this issue in Datadog Plugin version 5.4.2, released on July 12, 2023. Users are advised to upgrade to this version to mitigate the vulnerability [2]. No workarounds are available.