CVE-2022-23116 – org.conjur.jenkins:conjur-credentials

Package

Manager: maven
Name: org.conjur.jenkins:conjur-credentials
Vulnerable Version: >=0 <1.0.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0034 pctl0.56065

Details

Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows decrypting secrets Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

Metadata

Created: 2022-01-13T00:00:52Z
Modified: 2022-11-29T21:30:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-g7fx-mmjc-r7gv/GHSA-g7fx-mmjc-r7gv.json
CWE IDs: ["CWE-311"]
Alternative ID: GHSA-g7fx-mmjc-r7gv
Finding: F020
Auto approve: 1