Description

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Remediation

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429

Related Vulnerabilities

CVE-2019-17555 Vulnerability in maven package org.apache.olingo:odata-lib

CVE-2022-27202 Vulnerability in maven package org.jenkins-ci.plugins:extended-choice-parameter

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-spring

CVE-2016-10750 Vulnerability in maven package com.hazelcast:hazelcast-all

CVE-2022-25885 Vulnerability in npm package hummus

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo