Description

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Remediation

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429

Related Vulnerabilities

CVE-2019-1003087 Vulnerability in maven package org.jenkins-ci.plugins:sinatra-chef-builder

CVE-2023-29208 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2020-2187 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2022-0853 Vulnerability in maven package jboss:jboss-client

CVE-2017-7556 Vulnerability in maven package io.hawt:project

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo