1. Home
  2. Vulnerabilities
  3. CVE-2023-6147

CVE-2023-6147

CVSS v3.1 6.5 (Medium)
65% Progress
EPSS 0.05 % (17th)
0.05% Progress
Affected Products 1
Advisories 2
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

Weaknesses
CWE-611
Improper Restriction of XML External Entity Reference
CVE Status
PUBLISHED
CNA
Qualys, Inc.
Published Date
2024-01-09 08:15:36
(8 months ago)
Updated Date
2024-01-24 18:15:08
(7 months ago)

Affected Products

Qualys

Configuration #1

    CPE23 From Up To
  Qualys Policy Compliance for Jenkins 1.0.5 and prior versions cpe:2.3:a:qualys:policy_compliance::*:*:*:*:jenkins <= 1.0.5