Incorrect Permission Assignment on Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier
CVE-2023-4777

4.3MEDIUM

Key Information:

Vendor: Qualys,Inc.
Status: Container Scanning Connector Jenkins Plugin
Vendor: CVE Published:; 8 September 2023

🔔 Create Qualys,Inc. Vulnerability Alert

What is CVE-2023-4777?

An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.

Affected Version(s)

Container Scanning Connector Jenkins Plugin 1.6.2.6 <= 1.6.0.1

References

https://www.qualys.com/security-advisories/

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2023
Vulnerability Reserved
Sep 5, 2023

Credit

Yaroslav Afenkin, CloudBees, Inc.

CVE-2023-4777 Data

JSON