Описание
Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows retrieving all credentials
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-23117
- https://github.com/jenkinsci/conjur-credentials-plugin/pull/19
- https://github.com/jenkinsci/conjur-credentials-plugin/releases/tag/conjur-credentials-1.0.10
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(2)
- http://www.openwall.com/lists/oss-security/2022/01/12/6
Пакеты
Наименование
org.conjur.jenkins:conjur-credentials
maven
Затронутые версииВерсия исправления
< 1.0.10
1.0.10
Связанные уязвимости
CVSS3: 7.5
nvd
около 4 лет назад
Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to retrieve all username/password credentials stored on the Jenkins controller.