gsd-2022-25186
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-25186",
"description": "Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.",
"id": "GSD-2022-25186"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-25186"
],
"details": "Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.",
"id": "GSD-2022-25186",
"modified": "2023-12-13T01:19:27.176129Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-25186",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Jenkins HashiCorp Vault Plugin",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "unspecified",
"version_value": "3.8.0"
}
]
}
}
]
},
"vendor_name": "Jenkins project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429",
"refsource": "MISC",
"url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,3.8.0]",
"affected_versions": "All versions up to 3.8.0",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-02-17",
"description": "Jenkins HashiCorp Vault Plugin implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.",
"fixed_versions": [],
"identifier": "CVE-2022-25186",
"identifiers": [
"GHSA-fm6q-97gw-c4wh",
"CVE-2022-25186"
],
"not_impacted": "",
"package_slug": "maven/com.datapipe.jenkins.plugins/hashicorp-vault-plugin",
"pubdate": "2022-02-16",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Secret exposure in Jenkins HashiCorp Vault Plugin",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-25186",
"https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429",
"https://github.com/advisories/GHSA-fm6q-97gw-c4wh"
],
"uuid": "00c932be-0ad6-414d-b436-0b4b2c1204fb"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:jenkins:hashicorp_vault:*:*:*:*:*:jenkins:*:*",
"cpe_name": [],
"versionEndIncluding": "3.8.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "jenkinsci-cert@googlegroups.com",
"ID": "CVE-2022-25186"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-11-15T03:39Z",
"publishedDate": "2022-02-15T17:15Z"
}
}
}
Loading...