GHSA-g7fx-mmjc-r7gv

Source

https://github.com/advisories/GHSA-g7fx-mmjc-r7gv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-g7fx-mmjc-r7gv/GHSA-g7fx-mmjc-r7gv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g7fx-mmjc-r7gv

Aliases

CVE-2022-23116

Published

2022-01-13T00:00:52Z

Modified

2023-11-08T04:08:17.007304Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows decrypting secrets

Details

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

Database specific

{
    "nvd_published_at": "2022-01-12T20:15:00Z",
    "github_reviewed_at": "2022-11-29T21:30:23Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-311"
    ]
}

References

Affected packages

Maven / org.conjur.jenkins:conjur-credentials

Package

Name: org.conjur.jenkins:conjur-credentials; View open source insights on deps.dev
Purl: pkg:maven/org.conjur.jenkins/conjur-credentials

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.10

Affected versions

1.*

1.0.2

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9