CVE-2023-6147

Name of the Vulnerable Software and Affected Versions Qualys Jenkins Plugin for Policy Compliance versions prior to 1.0.6

Description The issue is related to the Qualys Policy Compliance Connector Plugin and involves incorrect restriction of XML links to external objects, allowing a remote attacker to conduct XXE attacks using specially crafted XML code. The vulnerability is due to a missing permission check while performing a connectivity check to Qualys Cloud Services, enabling any user with login access to configure or edit jobs to utilize the plugin and potentially control responses for certain requests, which could be injected with XXE payloads.

Recommendations For Qualys Jenkins Plugin for Policy Compliance versions prior to 1.0.6, update to version 1.0.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin to minimize the risk of exploitation.