Qualys Security Vulnerabilities
An issue was discovered in Qualys Cloud Agent 4.8.0-49. It executes programs at various full pathnames without first making ownership and permission checks (e.g., to help ensure that a program was installed by root) and without integrity checks (e.g., a checksum comparison against known legitimate ...
7.3CVSS
7.3AI Score
0.0004EPSS
An issue was discovered in Qualys Cloud Agent 4.8.0-49. It writes "ps auxwwe" output to the /var/log/qualys/qualys-cloud-agent-scan.log file. This may, for example, unexpectedly write credentials (from environment variables) to disk in cleartext. NOTE: there are no common circumstances in which qua...
5.5CVSS
5.9AI Score
0.0004EPSS
An Executable Hijacking condition exists in theQualys Cloud Agent for Windows platform in versions before 4.5.3.1. Attackersmay load a malicious copy of a Dependency Link Library (DLL) via a localattack vector instead of the DLL that the application was expecting, whenprocesses are running with esc...
7CVSS
6.7AI Score
0.001EPSS
An NTFS Junction condition exists in the Qualys Cloud Agentfor Windows platform in versions before 4.8.0.31. Attackers may write files toarbitrary locations via a local attack vector. This allows attackers to assumethe privileges of the process, and they may delete or otherwise on unauthorizedfiles...
6.7CVSS
6.2AI Score
0.0004EPSS
A Race Condition exists in the Qualys Cloud Agent for Windowsplatform in versions from 3.1.3.34 and before 4.5.3.1. This allows attackers toescalate privileges limited on the local machine during uninstallation of theQualys Cloud Agent for Windows. Attackers may gain SYSTEM level privileges onthat ...
7CVSS
6.9AI Score
0.0004EPSS
Qualys Cloud Agent for macOS (versions 2.5.1-75 before 3.7)installer allows a local escalation of privilege bounded only to the time ofinstallation and only on older macOSX (macOS 10.15 and older) versions.Attackers may exploit incorrect file permissions to give them ROOT commandexecution privilege...
7CVSS
7AI Score
0.0004EPSS
An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an a...
4.3CVSS
4.5AI Score
0.001EPSS
A Qualys web application was found to have a stored XSS vulnerability resulting from the absence of HTML encoding in the presentation of logging information to users. This vulnerability allowed a user with login access to the application to introduce XSS payload via browser details.
5.7CVSS
5AI Score
0.0004EPSS
Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs t...
6.5CVSS
6.6AI Score
0.0005EPSS
Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access and access to configure or ...
5.7CVSS
5.6AI Score
0.0004EPSS
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the...
6.5CVSS
6.4AI Score
0.0005EPSS