CVE-2022-25197Protection Mechanism Failure in Project Jenkins Hashicorp Vault Plugin

CWE-693Protection Mechanism Failure5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.1%
top 72.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Hashicorp Vault PluginJenkins Hashicorp Vault
Timeline
PublishedFeb 15
Latest updateFeb 16

Description

Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_hashicorp_vault_pluginunspecified336.v182c0fbaaeb7
NVDjenkins/hashicorp_vault336.v182c0fbaaeb7

Patches

Patch: www.jenkins.ioPatch: www.jenkins.io

🔴Vulnerability Details

3
GHSA
Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin allows reading arbitrary files2022-02-16
OSV
Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin allows reading arbitrary files2022-02-16
CVEList
CVE-2022-25197: Jenkins HashiCorp Vault Plugin 3362022-02-15

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-02-152022-02-15