CVE-2022-23109 — Improper credentials masking in Jenkins HashiCorp Vault Plugin

Description

Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

How to fix CVE-2022-23109

To remediate CVE-2022-23109, upgrade the affected package to a fixed version below.

Maven/com.datapipe.jenkins.plugins:hashicorp-vault-plugin—upgrade to 3.8.0 or later

Is CVE-2022-23109 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.8.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23109
PATCHgithub.com/jenkinsci/hashicorp-vault-plugin
WEBgithub.com/jenkinsci/hashicorp-vault-plugin/commit/c7ad9779320bd8640d83790a985ebab240249b13
WEBwww.jenkins.io/security/advisory/2022-01-12/#SECURITY-2213