GHSA-8wgf-3mrj-73x7
GitHub Security Advisory
Incorrect permission checks in Qualys Web App Scanning Connector Plugin allow capturing credentials
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
Qualys Web App Scanning Connector Plugin 2.0.10 and earlier does not correctly perform permission checks in several HTTP endpoints.
This allows attackers with global Item/Configure permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Qualys Web App Scanning Connector Plugin 2.0.11 requires the appropriate permissions for the affected HTTP endpoints.
Affected Packages
Maven
com.qualys.plugins:qualys-was
Affected versions:
0
(fixed in 2.0.11)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: August 24, 2025 6:28 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.