CVE-2022-25186

Опубликовано: 15 фев. 2022

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Ссылки

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429
Issue Tracking
Vendor Advisory
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:hashicorp_vault:*:*:*:*:*:jenkins:*:*

Версия до 3.8.0 (включая)

EPSS

Процентиль: 41%

0.00188

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

GHSA-fm6q-97gw-c4wh

CVSS3: 3.1

github

почти 4 года назад

Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin