Missing Permission Check in Jenkins Vault Plugin Exposes Sensitive Data
CVE-2022-36888

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Hashicorp Vault Plugin
Vendor: CVE Published:; 27 July 2022

Summary

A significant vulnerability exists in the Jenkins HashiCorp Vault Plugin which fails to enforce proper permissions. This flaw allows users with Overall/Read permission to exploit the system and gain unauthorized access to credentials stored in the Vault. By specifying paths and keys, attackers can retrieve sensitive data, compromising the security of the Jenkins environment.

Affected Version(s)

Jenkins HashiCorp Vault Plugin <= 354.vdb_858fd6b_f48

References

https://www.jenkins.io/security/advisory/2022-07-27/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/07/27/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 27, 2022
Vulnerability Reserved
Jul 27, 2022