Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mbTZxLTk3Z3ctYzR3aM0sPg
Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
Permalink: https://github.com/advisories/GHSA-fm6q-97gw-c4whJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mbTZxLTk3Z3ctYzR3aM0sPg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 3 years ago
Updated: almost 2 years ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00065
EPSS Percentile: 0.30497
Identifiers: GHSA-fm6q-97gw-c4wh, CVE-2022-25186
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25186
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429
- https://github.com/advisories/GHSA-fm6q-97gw-c4wh
Affected Packages
maven:com.datapipe.jenkins.plugins:hashicorp-vault-plugin
Affected Version Ranges: <= 3.8.0Fixed in: 336.v182c0fbaaeb7