Cloud Platform
Contact us
Asset Management
Vulnerability & Configuration Management
Risk Remediation
Threat Detection & Response
  • Overview
  • Platform Apps

  • Qualys Endpoint Security

    Advanced endpoint threat protection, improved threat context, and alert prioritization

  • Context XDR

    Extend detection and response beyond the endpoint to the enterprise

Cloud Security

Security advisory.

Possible XXE vulnerability in Jenkins Plugin for Qualys Web Application Security [CVE-2023-6149]

Affected Product: Qualys Web Application Security Jenkins Plugin
Advisory ID: Q-PVD-2024-003
CVE ID:  CVE-2023-6149
Published: 2024-01-09
CWE: CWE-611

Risk Factor

NVD Risk Rating Qualys Risk Rating
CVSSv3.1 Score TBD 5.7
CVSSv3.1 Vector (Base) TBD AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N


Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud services. This allowed any user with login access to configure or edit jobs to utilize the plugin and potentially configure and control a rouge endpoint to force a certain request which could be injected with XXE payloads leading to XXE while processing the response data.


Customers should upgrade to a minimum version of 2.0.12

Risk Management Considerations

Qualys has assessed the exploit and believes the risk to be low for the following reasons:

  • Exploitation requires the attacker to already have login access to Jenkins
  • Attackers must have the ability to configure Jenkins jobs


Yaroslav Afenkin, CloudBees, Inc.

View more security advisories