Security advisory.

Incorrect Permission Assignment on Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier

Affected Product: Qualys Container Scanning Connector Plugin
Advisory ID: Q-PVD-2023-04
CVE ID:  CVE-2023-4777
Published: 2023-09-08
CWE: CWE-732

Risk Factor

CVE Details Qualys Risk Rating
CVSSv3.1 Score 3.1
CVSSv3.1 Vector(Base) AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.

Solution

Customers should upgrade to a minimum version of 1.6.2.7.

Risk Considerations

Qualys has assessed the exploit and believes the risk to be low for the following reasons:

  • Exploitation requires the attacker to already have login access to Jenkins
  • Attackers must have the ability to configure Jenkins jobs

Acknowledgments

Yaroslav Afenkin, CloudBees, Inc.

View more security advisories