vulnerability

Jenkins Advisory 2023-07-26: CVE-2023-39154: Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:N/A:N)

Published

Jul 27, 2023

Added

Jul 27, 2023

Modified

Mar 27, 2026

Description

Incorrect permission checks in Jenkins Qualys Web App Scanning Connector Plugin 2.0.10 and earlier allow attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.

Solutions

jenkins-lts-upgrade-2_401_3jenkins-upgrade-2_416

References

CVE-2023-39154
https://attackerkb.com/topics/CVE-2023-39154
CWE-863
EUVD-EUVD-2023-2008
https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-2008
https://jenkins.io/security/advisory/2023-07-26/

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report