Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security

Security advisory.

Incorrect Permission Assignment on Qualys Container Scanning Connector Plugin and earlier

Affected Product: Qualys Container Scanning Connector Plugin
Advisory ID: Q-PVD-2023-04
CVE ID:  CVE-2023-4777
Published: 2023-09-08
CWE: CWE-732

Risk Factor

CVE Details Qualys Risk Rating
CVSSv3.1 Score 3.1
CVSSv3.1 Vector(Base) AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

An incorrect permission check in Qualys Container Scanning Connector Plugin and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.


Customers should upgrade to a minimum version of

Risk Considerations

Qualys has assessed the exploit and believes the risk to be low for the following reasons:

  • Exploitation requires the attacker to already have login access to Jenkins
  • Attackers must have the ability to configure Jenkins jobs


Yaroslav Afenkin, CloudBees, Inc.

View more security advisories