An incorrect permission check in Qualys Container Scanning Connector Plugin 1.6.2.6 and earlier allows attackers with global Item/Configure permission (while lacking Item/Configure permission on any particular job) to enumerate credentials IDs of credentials stored in Jenkins and to connect to an attacker-specified URL using attacker-specified credentials IDs, capturing credentials stored in Jenkins.
Metrics
Affected Vendors & Products
References
Link | Providers |
---|---|
https://www.qualys.com/security-advisories/ |
History
Wed, 25 Sep 2024 20:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: Qualys
Published: 2023-09-08T08:42:35.645Z
Updated: 2024-09-25T20:07:05.784Z
Reserved: 2023-09-05T15:39:46.417Z
Link: CVE-2023-4777
Vulnrichment
Updated: 2024-08-02T07:38:00.467Z
NVD
Status : Modified
Published: 2023-09-08T09:15:08.697
Modified: 2024-11-21T08:35:57.827
Link: CVE-2023-4777
Redhat
No data.