Description
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
Remediation
References
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429
Related Vulnerabilities
CVE-2020-13953 Vulnerability in maven package org.apache.tapestry:tapestry-core
CVE-2020-1744 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2023-42795 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2019-9212 Vulnerability in maven package com.alipay.sofa:hessian