CVE-2023-6149

Name of the Vulnerable Software and Affected Versions Qualys Jenkins Plugin for WAS versions prior to and including 2.0.11

Description The issue is related to a missing permission check while performing a connectivity check to Qualys Cloud Services. This flaw allows any user with login access to configure or edit jobs to utilize the plugin and potentially configure a rogue endpoint. This endpoint can control responses for certain requests, which can be injected with XXE payloads, leading to XXE attacks while processing the response data.

Recommendations For Qualys Jenkins Plugin for WAS versions prior to and including 2.0.11, update to a version later than 2.0.11 to resolve the issue. As a temporary workaround, consider restricting access to the plugin for users with login access to configure or edit jobs until a patch is available. Restrict the ability to configure or edit jobs to minimize the risk of exploitation.