GHSA-fm6q-97gw-c4wh

Suggest an improvement
Source
https://github.com/advisories/GHSA-fm6q-97gw-c4wh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-fm6q-97gw-c4wh/GHSA-fm6q-97gw-c4wh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fm6q-97gw-c4wh
Aliases
  • CVE-2022-25186
Published
2022-02-16T00:01:28Z
Modified
2023-11-08T04:08:42.753265Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin
Details

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

References

Affected packages

Maven / com.datapipe.jenkins.plugins:hashicorp-vault-plugin

Package

Name
com.datapipe.jenkins.plugins:hashicorp-vault-plugin
View open source insights on deps.dev
Purl
pkg:maven/com.datapipe.jenkins.plugins/hashicorp-vault-plugin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
336.v182c0fbaaeb7

Affected versions

1.*

1.0
1.1
1.2
1.3
1.4

2.*

2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.3.0
2.3.1
2.4.0
2.5.0

3.*

3.0.0
3.1.0
3.1.1
3.2.0
3.3.0
3.4.0
3.4.1
3.5.0
3.6.0
3.6.1
3.7.0
3.8.0

Database specific

{
    "last_known_affected_version_range": "<= 3.8.0"
}