Lucene search

[email protected]NVD:CVE-2023-6147

HistoryJan 09, 2024 - 8:15 a.m.

CVE-2023-6147

2024-01-0908:15:36

CWE-611

[email protected]

web.nvd.nist.gov

qualys jenkins plugin

policy compliance

security flaw

connectivity check

qualys cloud services

permission check

rouge endpoint

xxe payloads

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

16.0%

JSON

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

Affected configurations

Nvd

Node

qualyspolicy_complianceRange≤1.0.5jenkins

VendorProductVersionCPE
qualyspolicy_compliance*cpe:2.3:a:qualys:policy_compliance:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
qualys	policy_compliance	*	cpe:2.3:a:qualys:policy_compliance::::::jenkins::*

References

www.openwall.com/lists/oss-security/2024/01/24/6

www.qualys.com/security-advisories/

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

16.0%

JSON

Related for NVD:CVE-2023-6147

osv1 prion1 cve1 cvelist1 github1 nessus1