CVE-2023-6147 — Qualys Jenkins Plugin for Policy Compliance XML External Entity vulnerability

描述

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

如何修補 CVE-2023-6147

要修補 CVE-2023-6147,請將受影響套件升級到下列已修補版本。

—升級至 1.0.6 或更新版本

CVE-2023-6147 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.0.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

參考連結(6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-6147
PATCHgithub.com/jenkinsci/qualys-pc-plugin
WEBplugins.jenkins.io/qualys-pc
WEBwww.qualys.com/security-advisories
WEBwww.qualys.com/security-advisories/cve-2023-6147