CVE-2022-25197

Name of the Vulnerable Software and Affected Versions Jenkins HashiCorp Vault Plugin versions 336.v182c0fbaaeb7 and earlier

Description The issue allows agent processes to read arbitrary files on the Jenkins controller file system. This can be exploited by attackers who can control agent processes, enabling them to read arbitrary files on the Jenkins controller file system. The vulnerability is related to a violation of the data protection mechanism.

Recommendations For Jenkins HashiCorp Vault Plugin versions 336.v182c0fbaaeb7 and earlier, update to a version later than 336.v182c0fbaaeb7 to resolve the issue. For Jenkins 2.318 and earlier, LTS 2.303.2 and earlier, consider upgrading to a newer version, such as Jenkins LTS 2.303.3 or later, to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to agent processes to minimize the risk of exploitation.