ghsa-fm6q-97gw-c4wh
Vulnerability from github
Published
2022-02-16 00:01
Modified
2022-12-01 23:35
Severity
Summary
Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin
Details
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
{ "affected": [ { "database_specific": { "last_known_affected_version_range": "\u003c= 3.8.0" }, "package": { "ecosystem": "Maven", "name": "com.datapipe.jenkins.plugins:hashicorp-vault-plugin" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "336.v182c0fbaaeb7" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2022-25186" ], "database_specific": { "cwe_ids": [ "CWE-693" ], "github_reviewed": true, "github_reviewed_at": "2022-02-16T22:47:15Z", "nvd_published_at": "2022-02-15T17:15:00Z", "severity": "LOW" }, "details": "Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.", "id": "GHSA-fm6q-97gw-c4wh", "modified": "2022-12-01T23:35:47Z", "published": "2022-02-16T00:01:28Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25186" }, { "type": "PACKAGE", "url": "https://github.com/jenkinsci/hashicorp-vault-plugin" }, { "type": "WEB", "url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin" }
Loading...