Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mbTZxLTk3Z3ctYzR3aM0sPg
Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
Permalink: https://github.com/advisories/GHSA-fm6q-97gw-c4whJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mbTZxLTk3Z3ctYzR3aM0sPg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: 10 months ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-fm6q-97gw-c4wh, CVE-2022-25186
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25186
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429
- https://github.com/advisories/GHSA-fm6q-97gw-c4wh
Affected Packages
maven:com.datapipe.jenkins.plugins:hashicorp-vault-plugin
Versions: <= 3.8.0Fixed in: 336.v182c0fbaaeb7