CVE-2022-23117

CWE-522 — Insufficiently Protected Credentials CWE-269 — Improper Privilege Management5 documents5 sources

Severity

7.5HIGH

EPSS

0.1%

top 83.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Conjur Secrets Plugin Jenkins Conjur Secrets

Timeline

PublishedJan 12

Latest updateJan 13

Description

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_conjur_secrets_pluginunspecified — 1.0.9

▶Mavenorg.conjur.jenkins:conjur-credentials< 1.0.10

▶NVDjenkins/conjur_secrets1.0.9

🔴Vulnerability Details

OSV

Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows retrieving all credentials↗2022-01-13

▶

GHSA

Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows retrieving all credentials↗2022-01-13

▶

CVEList

CVE-2022-23117: Jenkins Conjur Secrets Plugin 1↗2022-01-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-01-12↗2022-01-12

▶