CVE-2022-25186: Secret exposure in Jenkins HashiCorp Vault Plugin

February 16, 2022 (updated February 17, 2022)

Jenkins HashiCorp Vault Plugin implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

References

github.com/advisories/GHSA-fm6q-97gw-c4wh
nvd.nist.gov/vuln/detail/CVE-2022-25186
www.jenkins.io/security/advisory/2022-02-15/

Detect and mitigate CVE-2022-25186 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →