Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-8525-52vg-jv6v: Qualys Jenkins Plugin for Policy Compliance XML External Entity vulnerability

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

ghsa
#vulnerability#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-6147

Qualys Jenkins Plugin for Policy Compliance XML External Entity vulnerability

Moderate severity GitHub Reviewed Published Jan 9, 2024 to the GitHub Advisory Database • Updated Jan 9, 2024

Package

maven com.qualys.plugins:qualys-pc (Maven)

Affected versions

<= 1.0.5

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-6147
  • https://www.qualys.com/security-advisories/
  • https://plugins.jenkins.io/qualys-pc/

Published to the GitHub Advisory Database

Jan 9, 2024

ghsa: Latest News

GHSA-w5rq-g9r6-vrcg: @dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling