GHSA-8wgf-3mrj-73x7

Опубликовано: 26 июл. 2023

Источник: github

Github: Прошло ревью

CVSS3: 4.2

Описание

Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials

Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints.

This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Qualys Web App Scanning Connector Plugin 2.0.11 requires the appropriate permissions for the affected HTTP endpoints.

Ссылки

Пакеты

Наименование

com.qualys.plugins:qualys-was

maven

Затронутые версииВерсия исправления

< 2.0.11

2.0.11

EPSS

Процентиль: 20%

0.00063

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2023-39154

Дефекты

CWE-863

Связанные уязвимости

CVE-2023-39154

CVSS3: 6.5

nvd

больше 2 лет назад

Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

EPSS

Процентиль: 20%

0.00063

Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2023-39154

Дефекты

CWE-863