Security advisory.
Incorrect Permission Assignment on Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier
Affected Product: | Qualys Container Scanning Connector Plugin |
Advisory ID: | Q-PVD-2023-04 |
CVE ID: | CVE-2023-4777 |
Published: | 2023-09-08 |
CWE: | CWE-732 |
Risk Factor
CVE Details | Qualys Risk Rating |
CVSSv3.1 Score | 3.1 |
CVSSv3.1 Vector(Base) | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.
Solution
Customers should upgrade to a minimum version of 1.6.2.7.
Risk Considerations
Qualys has assessed the exploit and believes the risk to be low for the following reasons:
- Exploitation requires the attacker to already have login access to Jenkins
- Attackers must have the ability to configure Jenkins jobs
Acknowledgments
Yaroslav Afenkin, CloudBees, Inc.