Affected Product: | Qualys Container Scanning Connector Plugin |
Advisory ID: | Q-PVD-2023-04 |
CVE ID: | CVE-2023-4777 |
Published: | 2023-09-08 |
CWE: | CWE-732 |
CVE Details | Qualys Risk Rating |
CVSSv3.1 Score | 3.1 |
CVSSv3.1 Vector(Base) | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.
Customers should upgrade to a minimum version of 1.6.2.7.
Qualys has assessed the exploit and believes the risk to be low for the following reasons:
Yaroslav Afenkin, CloudBees, Inc.