CVE-2022-25186 – com.datapipe.jenkins.plugins:hashicorp-vault-plugin

Package

Manager: maven
Name: com.datapipe.jenkins.plugins:hashicorp-vault-plugin
Vulnerable Version: >=0 <336.v182c0fbaaeb7

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00623 pctl0.69219

Details

Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Metadata

Created: 2022-02-16T00:01:28Z
Modified: 2022-12-01T23:35:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-fm6q-97gw-c4wh/GHSA-fm6q-97gw-c4wh.json
CWE IDs: ["CWE-693"]
Alternative ID: GHSA-fm6q-97gw-c4wh
Finding: F115
Auto approve: 1