Lucene search

QualysVULNRICHMENT:CVE-2023-4777

HistorySep 08, 2023 - 8:42 a.m.

CVE-2023-4777 Incorrect Permission Assignment on Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier

2023-09-0808:42:35

CWE-732

Qualys

github.com

cve-2023

permission assignment

qualys plugin

jenkins

credentials capture

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.

References

www.qualys.com/security-advisories/

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.5

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2023-4777