CVE-2022-23109: Insufficiently Protected Credentials

January 13, 2022 (updated November 29, 2022)

Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed.

References

www.openwall.com/lists/oss-security/2022/01/12/6
github.com/advisories/GHSA-h6x7-jq46-fp33
nvd.nist.gov/vuln/detail/CVE-2022-23109
www.jenkins.io/security/advisory/2022-01-12/

Detect and mitigate CVE-2022-23109 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →