Description
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
Remediation
References
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429
Related Vulnerabilities
CVE-2021-3536 Vulnerability in maven package org.wildfly:wildfly-parent
CVE-2016-0779 Vulnerability in maven package org.apache.tomee:openejb-client
CVE-2023-45135 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-war
CVE-2020-28496 Vulnerability in maven package org.webjars.npm:three