CVE-2022-25186 — Protection Mechanism Failure in Project Jenkins Hashicorp Vault Plugin

CWE-693 — Protection Mechanism Failure5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 77.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Hashicorp Vault Plugin Jenkins Hashicorp Vault

Timeline

PublishedFeb 15

Latest updateFeb 16

Description

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_hashicorp_vault_pluginunspecified — 3.8.0

▶NVDjenkins/hashicorp_vault3.8.0

🔴Vulnerability Details

OSV

Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin↗2022-02-16

▶

GHSA

Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin↗2022-02-16

▶

CVEList

CVE-2022-25186: Jenkins HashiCorp Vault Plugin 3↗2022-02-15

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-02-15↗2022-02-15

▶