Fluid Attacks Database

Description

Jenkins HashiCorp Vault Plugin does not perform permission checks in several HTTP endpoints that perform Vault connection tests A missing permission check in Jenkins HashiCorp Vault Plugin 354.vdb_858fd6b_f48 and earlier allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.datapipe.jenkins.plugins:hashicorp-vault-plugin	>=0 <355.v3b_38d767a_b_a_8	355.v3b_38d767a_b_a_8

Aliases

1. CVE-2022-368882. NVD-2022-368883. OSV-2022-368884. GCVE-2022-36888

References

1. https://github.com/jenkinsci/hashicorp-vault-plugin/commit/3b38d767aba8bd98d6f4fb53c1f1678d95b5e7522. https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-25933. http://www.openwall.com/lists/oss-security/2022/07/27/1