製品・ソフトウェアに関する情報
qualys の Jenkins 用 web application screening における XML 外部エンティティの脆弱性
Title qualys の Jenkins 用 web application screening における XML 外部エンティティの脆弱性
Summary

qualys の Jenkins 用 web application screening には、XML 外部エンティティの脆弱性が存在します。

Possible impacts 情報を改ざんされる可能性があります。
Solution

ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。

Publication Date Nov. 15, 2023, midnight
Registration Date Feb. 2, 2024, 9:49 a.m.
Last Update Feb. 2, 2024, 9:49 a.m.
CVSS3.0 : 警告
Score 6.5
Vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected System
qualys
web application screening 2.0.11 およびそれ以前
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
その他
Change Log
No Changed Details Date of change
1 [2024年02月02日]
  掲載
Feb. 2, 2024, 9:49 a.m.

NVD Vulnerability Information
CVE-2023-6149
Summary


Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

Publication Date Jan. 9, 2024, 6:15 p.m.
Registration Date Jan. 10, 2024, 10 a.m.
Last Update Nov. 21, 2024, 5:43 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:qualys:web_application_screening:*:*:*:*:*:jenkins:*:* 2.0.11
Related information, measures and tools
Common Vulnerabilities List