CVE-2022-25186
Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin
3.1
LOW
CVSS 3.1
EPSS 0.07%
Description
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
How to fix CVE-2022-25186
To remediate CVE-2022-25186, upgrade the affected package to a fixed version below.
- —upgrade to 336.v182c0fbaaeb7 or later
Is CVE-2022-25186 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 336.v182c0fbaaeb7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |