CVE-2023-39154 — Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow ca

Description

Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints. This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins. Qualys Web App Scanning Connector Plugin 2.0.11 requires the appropriate permissions for the affected HTTP endpoints.

How to fix CVE-2023-39154

To remediate CVE-2023-39154, upgrade the affected package to a fixed version below.

—upgrade to 2.0.11 or later

Is CVE-2023-39154 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.11

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-39154
WEBwww.jenkins.io/security/advisory/2023-07-26/#SECURITY-3012
WEBwww.openwall.com/lists/oss-security/2023/07/26/2