Jenkins HashiCorp Vault Plugin Vulnerability Affects Log Security
CVE-2022-23109

6.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Hashicorp Vault Plugin
Vendor
CVE Published:
12 January 2022

Summary

The Jenkins HashiCorp Vault Plugin, up to version 3.7.0, does not adequately mask Vault credentials in Pipeline build logs and Pipeline step descriptions when used alongside Pipeline: Groovy Plugin 2.85 or later. This oversight can lead to sensitive information being inadvertently exposed, putting the integrity and confidentiality of secret management processes at risk. Organizations using this plugin should take immediate steps to secure their environments and monitor logs for any unintended credential disclosures.

Affected Version(s)

Jenkins HashiCorp Vault Plugin <= 3.7.0

References

https://www.jenkins.io/security/advisory/2022-01-12/#SECU...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2022/01/12/6
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.