Description

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Remediation

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429

Related Vulnerabilities

CVE-2023-24448 Vulnerability in maven package org.jenkins-ci.plugins:rabbitmq-consumer

CVE-2020-2290 Vulnerability in maven package org.biouno:uno-choice

CVE-2020-13932 Vulnerability in maven package org.apache.activemq:artemis-plugin

CVE-2020-14967 Vulnerability in maven package org.webjars.npm:jsrsasign

CVE-2016-0779 Vulnerability in maven package org.apache.tomee:arquillian-tomee-common

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Issue Tracking Vendor Advisory NVD-CWE-noinfo