CVE-2022-25197: Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin allows reading arbitrary files

February 16, 2022 (updated December 1, 2022)

Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

References

github.com/advisories/GHSA-2587-w93g-63m2
github.com/jenkinsci/hashicorp-vault-plugin/releases/tag/351.vdb_f83a_1c6a_9d
nvd.nist.gov/vuln/detail/CVE-2022-25197
www.jenkins.io/security/advisory/2022-02-15/

Code Behaviors & Features

Detect and mitigate CVE-2022-25197 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →