Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Compliance
Cloud Security

Security advisory.

Possible XSS vulnerability in Jenkins Plugin for Qualys Policy Compliance [CVE-2023-6148]

Affected Product: Qualys Policy Compliance Jenkins Plugin
Advisory ID: Q-PVD-2024-002
CVE ID:  CVE-2023-6148
Published: 2024-01-09
CWE: CWE-79

Risk Factor

NVD Risk Rating Qualys Risk Rating
CVSSv3.1 Score TBD 5.7
CVSSv3.1 Vector (Base) TBD AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Description

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud services. This allowed any user with login access and access to configure or edit jobs to utilize the plugin to potentially configure and control a rouge endpoint to force a certain request which could be injected with XSS payloads leading to XSS while processing the response data.

Solution

Customers should upgrade to a minimum version of 1.0.6.

Risk Management Considerations

Qualys has assessed the exploit and believes the risk to be low for the following reasons:

  • Exploitation requires the attacker to already have login access to Jenkins
  • Attackers must have the ability to configure Jenkins jobs

Acknowledgments

Yaroslav Afenkin, CloudBees, Inc.

View more security advisories