Jenkins HashiCorp Vault Plugin: Unauthorized Retrieval of Vault Secrets by Agent Processes

CVE-2022-25186 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Learn more about our Web Application Penetration Testing UK.