|Qualys Container Scanning Connector Plugin
|NVD Risk Rating
|Qualys Risk Rating
|CVSSv3.1 Vector (Base)
Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud services. This allowed any user with login access to configure or edit jobs to utilize the plugin and potentially configure and control a rouge endpoint to force a certain request which could be injected with XXE payloads leading to XXE while processing the response data.
Customers should upgrade to a minimum version of 1.0.6.
Qualys has assessed the exploit and believes the risk to be low for the following reasons:
Yaroslav Afenkin, CloudBees, Inc.