CVE-2023-39154

Summary

The vulnerability with the CVE ID CVE-2023-39154 affects Jenkins Qualys Web App Scanning Connector Plugin version 2.0.10 and earlier. It allows attackers with global Item/Configure permission to connect to a specified URL using attacker-specified credentials obtained through another method, potentially capturing stored credentials in Jenkins. The vulnerability has a base severity rating of MEDIUM and a base score of 6.5 according to NIST's National Vulnerability Database (NVD). The impact includes high confidentiality impact, low attack complexity, and low privileges required. No user interaction is required for exploitation, and the attack vector is through the network. The vulnerability does not affect the availability or integrity of the system. Remediation measures for this vulnerability should be provided by Jenkins, such as releasing an updated version of the plugin that addresses the incorrect permission checks issue. Organizations using affected versions should update to the patched version as soon as possible to mitigate the potential danger it poses in terms of unauthorized access to credentials stored in Jenkins.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.