Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01Z3doLXI3NnctOTM0aM4AA4SI
Qualys Jenkins Plugin for WAS XML External Entity vulnerability
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
Permalink: https://github.com/advisories/GHSA-5gwh-r76w-934hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01Z3doLXI3NnctOTM0aM4AA4SI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 11 months ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-5gwh-r76w-934h, CVE-2023-6149
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6149
- https://www.qualys.com/security-advisories/
- https://github.com/jenkinsci/qualys-was-plugin/commit/b4eeb34747fa1b934abbdf686102f6495fdb02ee
- https://www.qualys.com/security-advisories/cve-2023-6149/
- https://github.com/advisories/GHSA-5gwh-r76w-934h
Blast Radius: 1.0
Affected Packages
maven:com.qualys.plugins:qualys-was
Affected Version Ranges: <= 2.0.11Fixed in: 2.0.12