Description

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Remediation

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429

Related Vulnerabilities

CVE-2020-6462 Vulnerability in npm package electron

CVE-2023-25822 Vulnerability in maven package com.epam.reportportal:service-api

CVE-2023-3691 Vulnerability in maven package org.webjars.bowergithub.layui:layui

CVE-2022-36906 Vulnerability in maven package org.jenkins-ci.plugins:openshift-deployer

CVE-2018-25031 Vulnerability in npm package swagger-ui-dist

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo