Description
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
Remediation
References
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429
Related Vulnerabilities
CVE-2022-33140 Vulnerability in maven package org.apache.nifi:nifi-shell-authorizer
CVE-2023-25813 Vulnerability in npm package sequelize
CVE-2021-21118 Vulnerability in maven package org.webjars.npm:electron
CVE-2017-7525 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind
CVE-2023-37947 Vulnerability in maven package org.openshift.jenkins:openshift-login