Headline
GHSA-5gwh-r76w-934h: Qualys Jenkins Plugin for WAS XML External Entity vulnerability
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-6149
Qualys Jenkins Plugin for WAS XML External Entity vulnerability
Moderate severity GitHub Reviewed Published Jan 9, 2024 to the GitHub Advisory Database • Updated Jan 9, 2024
Package
maven com.qualys.plugins:qualys-was (Maven)
Affected versions
<= 2.0.11
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
References
- https://nvd.nist.gov/vuln/detail/CVE-2023-6149
- https://www.qualys.com/security-advisories/
- jenkinsci/qualys-was-plugin@b4eeb34
Published to the GitHub Advisory Database
Jan 9, 2024