CVE-2022-25186

LOW3.1EPSS 0.07%

Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin

Published: 2/16/2022Modified: 11/8/2023

Description

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Affected packages (1)

Maven/com.datapipe.jenkins.plugins:hashicorp-vault-pluginfrom 0, < 336.v182c0fbaaeb7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25186
PATCHhttps://github.com/jenkinsci/hashicorp-vault-plugin
WEBhttps://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429