Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
References
| Link | Resource |
|---|---|
| http://www.openwall.com/lists/oss-security/2024/01/24/6 | |
| https://www.qualys.com/security-advisories/ | Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2024/01/24/6 | |
| https://www.qualys.com/security-advisories/ | Vendor Advisory |
Configurations
History
13 Feb 2025, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data |
Information
Published : 2024-01-09 08:15
Updated : 2025-02-13 18:16
NVD link : CVE-2023-6147
Mitre link : CVE-2023-6147
CVE.ORG link : CVE-2023-6147
JSON object : View
Products Affected
qualys
- policy_compliance
CWE
CWE-611
Improper Restriction of XML External Entity Reference