CVE-2023-6149 (GCVE-0-2023-6149)

Vulnerability from cvelistv5 – Published: 2024-01-09 08:21 – Updated: 2025-06-16 19:55
VLAI
Title
Possible XXE vulnerability in Jenkins Plugin for Qualys Web Application Security
Summary
Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data
Severity
5.7 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE
  • CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
Date Public
2024-01-09 08:19
Credits
Yaroslav Afenkin, CloudBees, Inc.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:21:17.517Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.qualys.com/security-advisories/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-6149",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-16T19:54:51.791392Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-16T19:55:06.009Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Web App Scanning Connector Jenkins Plugin",
          "vendor": "Qualys,Inc. ",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.0.12",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "2.0.3",
              "status": "affected",
              "version": "2.0.11",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Yaroslav Afenkin, CloudBees, Inc. "
        }
      ],
      "datePublic": "2024-01-09T08:19:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eQualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. T\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ehis allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data\u003c/span\u003e"
            }
          ],
          "value": "\nQualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-611",
              "description": "CWE-611 Improper Restriction of XML External Entity Reference",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-09T08:21:12.804Z",
        "orgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
        "shortName": "Qualys"
      },
      "references": [
        {
          "url": "https://www.qualys.com/security-advisories/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eCustomers should upgrade to a minimum version of 2.0.12\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;\u003c/span\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "\nCustomers should upgrade to a minimum version of 2.0.12\u00a0\n\n\n"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Possible XXE vulnerability in Jenkins Plugin for Qualys Web Application Security ",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda",
    "assignerShortName": "Qualys",
    "cveId": "CVE-2023-6149",
    "datePublished": "2024-01-09T08:21:12.804Z",
    "dateReserved": "2023-11-15T10:10:27.944Z",
    "dateUpdated": "2025-06-16T19:55:06.009Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-6149",
      "date": "2026-05-27",
      "epss": "0.00217",
      "percentile": "0.44193"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:qualys:web_application_screening:*:*:*:*:*:jenkins:*:*\", \"versionEndIncluding\": \"2.0.11\", \"matchCriteriaId\": \"560F3C7B-37AD-461C-B0B6-403C55E28804\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"\\nQualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data\"}, {\"lang\": \"es\", \"value\": \"Se identific\\u00f3 que Qualys Jenkins Plugin para WAS anterior a la versi\\u00f3n 2.0.11 incluida estaba afectado por un fallo de seguridad, al que le faltaba una verificaci\\u00f3n de permiso al realizar una verificaci\\u00f3n de conectividad con Qualys Cloud Services. Esto permiti\\u00f3 a cualquier usuario con acceso de inicio de sesi\\u00f3n configurar o editar jobs para utilizar el complemento y configurar un endpoint potencial a trav\\u00e9s del cual era posible controlar la respuesta para cierta solicitud que podr\\u00eda inyectarse con payloads XXE que conduzcan a XXE mientras se procesan los datos de respuesta.\"}]",
      "id": "CVE-2023-6149",
      "lastModified": "2024-11-21T08:43:15.087",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"bugreport@qualys.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 5.7, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
      "published": "2024-01-09T09:15:42.737",
      "references": "[{\"url\": \"https://www.qualys.com/security-advisories/\", \"source\": \"bugreport@qualys.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://www.qualys.com/security-advisories/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "bugreport@qualys.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"bugreport@qualys.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-611\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-6149\",\"sourceIdentifier\":\"bugreport@qualys.com\",\"published\":\"2024-01-09T09:15:42.737\",\"lastModified\":\"2024-11-21T08:43:15.087\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"\\nQualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data\"},{\"lang\":\"es\",\"value\":\"Se identific\u00f3 que Qualys Jenkins Plugin para WAS anterior a la versi\u00f3n 2.0.11 incluida estaba afectado por un fallo de seguridad, al que le faltaba una verificaci\u00f3n de permiso al realizar una verificaci\u00f3n de conectividad con Qualys Cloud Services. Esto permiti\u00f3 a cualquier usuario con acceso de inicio de sesi\u00f3n configurar o editar jobs para utilizar el complemento y configurar un endpoint potencial a trav\u00e9s del cual era posible controlar la respuesta para cierta solicitud que podr\u00eda inyectarse con payloads XXE que conduzcan a XXE mientras se procesan los datos de respuesta.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"bugreport@qualys.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"bugreport@qualys.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-611\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:qualys:web_application_screening:*:*:*:*:*:jenkins:*:*\",\"versionEndIncluding\":\"2.0.11\",\"matchCriteriaId\":\"560F3C7B-37AD-461C-B0B6-403C55E28804\"}]}]}],\"references\":[{\"url\":\"https://www.qualys.com/security-advisories/\",\"source\":\"bugreport@qualys.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.qualys.com/security-advisories/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.qualys.com/security-advisories/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T08:21:17.517Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-6149\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-16T19:54:51.791392Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-16T19:54:59.021Z\"}}], \"cna\": {\"title\": \"Possible XXE vulnerability in Jenkins Plugin for Qualys Web Application Security \", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Yaroslav Afenkin, CloudBees, Inc. \"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Qualys,Inc. \", \"product\": \"Web App Scanning Connector Jenkins Plugin\", \"versions\": [{\"status\": \"affected\", \"changes\": [{\"at\": \"2.0.12\", \"status\": \"unaffected\"}], \"version\": \"2.0.11\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"2.0.3\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"\\nCustomers should upgrade to a minimum version of 2.0.12\\u00a0\\n\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eCustomers should upgrade to a minimum version of 2.0.12\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003e\u0026nbsp;\u003c/span\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"datePublic\": \"2024-01-09T08:19:00.000Z\", \"references\": [{\"url\": \"https://www.qualys.com/security-advisories/\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"\\nQualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\\n\\n\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eQualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. T\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003ehis allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data\u003c/span\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-611\", \"description\": \"CWE-611 Improper Restriction of XML External Entity Reference\"}]}], \"providerMetadata\": {\"orgId\": \"8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda\", \"shortName\": \"Qualys\", \"dateUpdated\": \"2024-01-09T08:21:12.804Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-6149\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-16T19:55:06.009Z\", \"dateReserved\": \"2023-11-15T10:10:27.944Z\", \"assignerOrgId\": \"8a309ac4-d8c7-4735-9c1d-ca39c5dfbcda\", \"datePublished\": \"2024-01-09T08:21:12.804Z\", \"assignerShortName\": \"Qualys\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.