PT-2022-15860 · Jenkins · Jenkins Conjur Secrets Plugin+1
Published
2022-01-12
·
Updated
2023-11-30
·
CVE-2022-23117
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Conjur Secrets Plugin versions 1.0.9 and earlier
Description
The issue allows attackers who can control agent processes to retrieve all username/password credentials stored on the Jenkins controller. This is due to the implementation of certain functionality in the affected plugin.
Recommendations
For Jenkins Conjur Secrets Plugin versions 1.0.9 and earlier, update to a version later than 1.0.9 to resolve the issue.
Fix
Improper Privilege Management
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Conjur Secrets Plugin