GHSA-3fm2-hx3h-xm4v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3fm2-hx3h-xm4v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-3fm2-hx3h-xm4v/GHSA-3fm2-hx3h-xm4v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3fm2-hx3h-xm4v
- Aliases
-
- CVE-2025-67642
- Published
- 2025-12-10T18:30:27Z
- Modified
- 2025-12-10T20:41:14.479649Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Jenkins HashiCorp Vault Plugin exposes system-scoped Vault credentials
- Details
-
Jenkins HashiCorp Vault Plugin 371.v884a4dd60fb6 and earlier does not set the appropriate context for Vault credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Vault credentials they are not entitled to.
- Database specific
{ "github_reviewed_at": "2025-12-10T20:18:21Z", "severity": "MODERATE", "cwe_ids": [ "CWE-282" ], "github_reviewed": true, "nvd_published_at": "2025-12-10T17:15:56Z" }- References
Affected packages
Maven / com.datapipe.jenkins.plugins:hashicorp-vault-plugin
Package
- Name
- com.datapipe.jenkins.plugins:hashicorp-vault-plugin
- View open source insights on deps.dev
- Purl
- pkg:maven/com.datapipe.jenkins.plugins/hashicorp-vault-plugin
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected371
Affected versions
1.*
1.0
1.1
1.2
1.3
1.4
2.*
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
2.4.0
2.5.0
3.*
3.0.0
3.1.0
3.1.1
3.2.0
3.3.0
3.4.0
3.4.1
3.5.0
3.6.0
3.6.1
3.7.0
3.8.0
336.*
336.v182c0fbaaeb7
351.*
351.vdb_f83a_1c6a_9d
354.*
354.vdb_858fd6b_f48
355.*
355.v3b_38d767a_b_a_8
356.*
356.ved18810a_b_828
359.*
359.v2da_3b_45f17d5
360.*
360.v0a_1c04cf807d
361.*
361.v44fea_4fc08d9
362.*
362.v8dfe4061f29e
363.*
363.va_f8c1627db_b_a
364.*
364.vf5d54b_3dc313
366.*
366.v3b_57135510d6
367.*
367.v8a_1ee1cccf3a
368.*
368.v48134f694db_f
369.*
369.vd49b_f7441a_a_3
370.*
370.v946b_53544a_30