CVE-2023-6149: 
Java vulnerability analysis and mitigation

CVE-2023-6149 is a security vulnerability discovered in Qualys Jenkins Plugin for WAS (Web Application Security) versions up to and including 2.0.11. The vulnerability was disclosed on January 9, 2024, and affects the plugin's connectivity check functionality to Qualys Cloud Services (Qualys Advisory).

The vulnerability stems from a missing permission check while performing connectivity checks to Qualys Cloud Services. The issue is classified as CWE-611 (Improper Restriction of XML External Entity Reference). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N, while Qualys assessed it with a score of 5.7 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow any user with login access and permission to configure or edit jobs to utilize the plugin and configure a rogue endpoint. Through this endpoint, an attacker could control responses for certain requests and inject XXE payloads, leading to XXE exploitation while processing the response data (Qualys Advisory).

Users are advised to upgrade to Qualys Jenkins Plugin for WAS version 2.0.12 or later to address this vulnerability. This version includes the necessary permission check implementation to prevent unauthorized access (Qualys Advisory).