Jenkins HashiCorp Vault Plugin Vulnerability Affects Log Security
CVE-2022-23109

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Hashicorp Vault Plugin
Vendor: CVE Published:; 12 January 2022

What is CVE-2022-23109?

The Jenkins HashiCorp Vault Plugin, up to version 3.7.0, does not adequately mask Vault credentials in Pipeline build logs and Pipeline step descriptions when used alongside Pipeline: Groovy Plugin 2.85 or later. This oversight can lead to sensitive information being inadvertently exposed, putting the integrity and confidentiality of secret management processes at risk. Organizations using this plugin should take immediate steps to secure their environments and monitor logs for any unintended credential disclosures.

Affected Version(s)

Jenkins HashiCorp Vault Plugin <= 3.7.0

References

https://www.jenkins.io/security/advisory/2022-01-12/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/01/12/6

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 12, 2022
Vulnerability Reserved
Jan 11, 2022