CVE-2023-4777 LOW

CVE-2023-4777: Incorrect Permission Assignment on Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier

Vendor Qualys,Inc.
Product Container Scanning Connector Jenkins Plugin
Weakness CWE-732
Published September 8, 2023
Last update September 25, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins. 

Key dates

02Disclosure timeline

September 8, 2023 CVE published
September 25, 2024 Record updated