1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-2593

[JENKINS:SECURITY-2593] Missing permission checks in `hashicorp-vault-plugin` allow capturing credentials

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

hashicorp-vault-plugin 354.vdb_858fd6b_f48 and earlier does not perform permission checks in several HTTP endpoints performing Vault connection tests.

This allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys.

hashicorp-vault-plugin 355.v3b_38d767a_b_a_8 requires Overall/Administer permission to perform Vault connection tests.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/hashicorp-vault-plugin <= 354.vdb_858fd6b_f48
pkg:github/jenkinsci/hashicorp-vault-plugin-plugin <= 354.vdb_858fd6b_f48
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/hashicorp-vault-plugin = 355.v3b_38d767a_b_a_8
pkg:github/jenkinsci/hashicorp-vault-plugin-plugin = 355.v3b_38d767a_b_a_8
ID
JENKINS:SECURITY-2593
Severity
medium
Published
2022-07-27T00:00:00
(2 years ago)
Modified
2022-07-27T00:00:00
(2 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository hashicorp-vault-plugin repository https://github.com/jenkinsci/hashicorp-vault-plugin-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/hashicorp-vault-plugin org.jenkins-ci.plugins hashicorp-vault-plugin <= 354.vdb_858fd6b_f48
Fixed pkg:maven/org.jenkins-ci.plugins/hashicorp-vault-plugin org.jenkins-ci.plugins hashicorp-vault-plugin = 355.v3b_38d767a_b_a_8
Affected pkg:github/jenkinsci/hashicorp-vault-plugin-plugin jenkinsci hashicorp-vault-plugin-plugin <= 354.vdb_858fd6b_f48
Fixed pkg:github/jenkinsci/hashicorp-vault-plugin-plugin jenkinsci hashicorp-vault-plugin-plugin = 355.v3b_38d767a_b_a_8
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date