CVE-2023-6147: 
Java vulnerability analysis and mitigation

Qualys Jenkins Plugin for Policy Compliance versions up to and including 1.0.5 contains a security vulnerability identified as CVE-2023-6147. The vulnerability was discovered due to missing permission checks while performing connectivity checks to Qualys Cloud Services. The flaw was disclosed on January 9, 2024, affecting the plugin's XML parsing functionality (Jenkins Advisory, Vendor Advisory).

The vulnerability stems from the plugin's failure to configure its XML parser to prevent XML external entity (XXE) attacks. This security flaw allows users with login access to configure or edit jobs to utilize the plugin and configure a rogue endpoint. Through this endpoint, it was possible to control responses for certain requests which could be injected with XXE payloads, leading to XXE while processing the response data. The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) by Qualys, with the vector string AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability enables attackers with job configuration access to have Jenkins parse crafted HTTP responses containing XML data that uses external entities. This can lead to extraction of secrets from the Jenkins controller or enable server-side request forgery attacks (Jenkins Advisory).

The vulnerability has been patched in Qualys Jenkins Plugin for Policy Compliance version 1.0.6, which disables external entity resolution for its XML parser. Users are strongly advised to upgrade to this version or later to mitigate the risk (Jenkins Advisory).