CVE-2022-23117 – org.conjur.jenkins:conjur-credentials

Package

Manager: maven
Name: org.conjur.jenkins:conjur-credentials
Vulnerable Version: >=0 <1.0.10

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00609 pctl0.68769

Details

Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows retrieving all credentials Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.

Metadata

Created: 2022-01-13T00:00:53Z
Modified: 2022-11-29T21:35:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-cw68-xmm4-c83r/GHSA-cw68-xmm4-c83r.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-cw68-xmm4-c83r
Finding: F159
Auto approve: 1