CVE-2022-23116

MEDIUM5.3EPSS 0.04%

Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows decrypting secrets

Published: 1/13/2022Modified: 11/8/2023

Description

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

Affected packages (1)

Maven/org.conjur.jenkins:conjur-credentialsfrom 0, < 1.0.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23116
PATCHhttps://github.com/jenkinsci/conjur-credentials-plugin
WEBhttps://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(1)
WEBhttp://www.openwall.com/lists/oss-security/2022/01/12/6