Description

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Remediation

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429

Related Vulnerabilities

CVE-2020-14326 Vulnerability in maven package org.jboss.resteasy:resteasy-core

CVE-2018-14041 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http_2.13

CVE-2020-7649 Vulnerability in npm package snyk-broker

CVE-2021-42550 Vulnerability in maven package ch.qos.logback:logback-core

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo