CVE-2022-23116 — Agent-to-controller security bypass in Jenkins Conjur Secrets Plugin allows decr

Description

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

How to fix CVE-2022-23116

To remediate CVE-2022-23116, upgrade the affected package to a fixed version below.

—upgrade to 1.0.10 or later

Is CVE-2022-23116 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-23116
PATCHgithub.com/jenkinsci/conjur-credentials-plugin
WEBwww.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(1)
WEBwww.openwall.com/lists/oss-security/2022/01/12/6