|Qualys Container Scanning Connector Plugin
|Qualys Risk Rating
An incorrect permission check in Qualys Container Scanning Connector Plugin 220.127.116.11 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.
Customers should upgrade to a minimum version of 18.104.22.168.
Qualys has assessed the exploit and believes the risk to be low for the following reasons:
Yaroslav Afenkin, CloudBees, Inc.