Affected Product: | Qualys Policy Compliance Jenkins Plugin |
Advisory ID: | Q-PVD-2024-002 |
CVE ID: | CVE-2023-6148 |
Published: | 2024-01-09 |
CWE: | CWE-79 |
NVD Risk Rating | Qualys Risk Rating | |
CVSSv3.1 Score | TBD | 5.7 |
CVSSv3.1 Vector (Base) | TBD | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to potentially configure and control a rouge endpoint to force a certain request which could be injected with XSS payloads leading to XSS while processing the response data.
Customers should upgrade to a minimum version of 1.0.6.
Qualys has assessed the exploit and believes the risk to be low for the following reasons:
Yaroslav Afenkin, CloudBees, Inc.