References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Known Affected Software Configurations Switch to CPE 2.2

Change History

Qualys, Inc. http://www.openwall.com/lists/oss-security/2024/01/24/6 [No types assigned]

OR
     *cpe:2.3:a:qualys:policy_compliance:*:*:*:*:*:jenkins:*:* versions up to (including) 1.0.5

NIST AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

NIST CWE-611

https://www.qualys.com/security-advisories/ No Types Assigned

https://www.qualys.com/security-advisories/ Vendor Advisory

Qualys, Inc. AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Qualys, Inc. CWE-611

Qualys Jenkins Plugin for Policy Compliance prior to version and including 1.0.5 was identified to be affected by a security flaw, which was missing a permission check while performing a connectivity check to Qualys Cloud Services. This allowed any user with login access to configure or edit jobs to utilize the plugin and configure potential a rouge endpoint via which it was possible to control response for certain request which could be injected with XXE payloads leading to XXE while processin

Qualys, Inc. https://www.qualys.com/security-advisories/ [No types assigned]