CVE-2022-25186

Vulnerability

Jenkins HashiCorp Vault Plugin versions 3.8.0 and earlier implement functionality that allows agent processes to retrieve Vault secrets for use on the agent. The plugin does not restrict which secrets can be retrieved; an attacker who controls an agent process can specify any Vault path and key to obtain secrets. Affected versions are 3.8.0 and earlier. [1][3]

Exploitation

An attacker needs to be able to control an agent process, for example by having Job/Configure permission or by exploiting another vulnerability that grants agent control. The attacker can then use the plugin's agent-side functionality to request Vault secrets for an arbitrary path and key, without proper authorization checks. [1]

Impact

Successful exploitation allows the attacker to obtain any Vault secrets that the Jenkins controller's Vault token has access to. This can lead to disclosure of sensitive credentials, tokens, or other secrets stored in Vault, potentially enabling further compromise. [1][3]

Mitigation

Jenkins has released HashiCorp Vault Plugin version 3.9.0 which fixes this issue. Users should upgrade to 3.9.0 or later. No workaround is mentioned. The plugin is not listed on the CISA KEV. [1]