Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNng3LWpxNDYtZnAzM80ijA
Improper credentials masking in Jenkins HashiCorp Vault Plugin
Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.
Permalink: https://github.com/advisories/GHSA-h6x7-jq46-fp33JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNng3LWpxNDYtZnAzM80ijA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 3 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00063
EPSS Percentile: 0.2915
Identifiers: GHSA-h6x7-jq46-fp33, CVE-2022-23109
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-23109
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2213
- http://www.openwall.com/lists/oss-security/2022/01/12/6
- https://github.com/jenkinsci/hashicorp-vault-plugin/commit/c7ad9779320bd8640d83790a985ebab240249b13
- https://github.com/advisories/GHSA-h6x7-jq46-fp33
Blast Radius: 1.0
Affected Packages
maven:com.datapipe.jenkins.plugins:hashicorp-vault-plugin
Affected Version Ranges: < 3.8.0Fixed in: 3.8.0