CVE-2023-6149: Improper Restriction of XML External Entity Reference

January 9, 2024

Qualys Jenkins Plugin for WAS prior to version and including 2.0.11 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processing the response data

References

github.com/advisories/GHSA-5gwh-r76w-934h
github.com/jenkinsci/qualys-was-plugin/commit/b4eeb34747fa1b934abbdf686102f6495fdb02ee
nvd.nist.gov/vuln/detail/CVE-2023-6149
www.qualys.com/security-advisories/

Detect and mitigate CVE-2023-6149 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →