PT-2022-17126 · Hashicorp+1 · Jenkins Hashicorp Vault Plugin+1
Daniel Beck
·
Published
2022-02-15
·
Updated
2023-11-15
·
CVE-2022-25186
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins HashiCorp Vault Plugin versions 3.8.0 and earlier
Description
The issue allows agent processes to retrieve any Vault secrets for use on the agent. Attackers able to control agent processes can obtain Vault secrets for an attacker-specified path and key.
Recommendations
For Jenkins HashiCorp Vault Plugin versions 3.8.0 and earlier, consider restricting access to the Vault secrets to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the functionality that allows agent processes to retrieve Vault secrets.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Hashicorp Vault Plugin