GHSA-8525-52vg-jv6v

Suggest an improvement
Source
https://github.com/advisories/GHSA-8525-52vg-jv6v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-8525-52vg-jv6v/GHSA-8525-52vg-jv6v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8525-52vg-jv6v
Aliases
  • CVE-2023-6147
Published
2024-01-09T09:30:29Z
Modified
2024-02-21T05:36:55.486133Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Qualys Jenkins Plugin for Policy Compliance XML External Entity vulnerability
Details

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

Database specific 
{
    "nvd_published_at": "2024-01-09T08:15:36Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T18:50:03Z"
}
References

Affected packages

Maven / com.qualys.plugins:qualys-pc

Package

Name
com.qualys.plugins:qualys-pc
View open source insights on deps.dev
Purl
pkg:maven/com.qualys.plugins/qualys-pc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.6

Affected versions

1.*

1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5

Database specific 

{
    "last_known_affected_version_range": "<= 1.0.5"
}