CVE-2022-25186
First published: Tue Feb 15 2022(Updated: )
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.
Credit: jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HashiCorp Vault | <=3.8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-25186?
CVE-2022-25186 is classified as a high-severity vulnerability due to the potential unauthorized access to Vault secrets.
How do I fix CVE-2022-25186?
To fix CVE-2022-25186, upgrade to Jenkins HashiCorp Vault Plugin version 3.8.1 or later.
What type of vulnerability is CVE-2022-25186?
CVE-2022-25186 is a security vulnerability that allows agent processes to retrieve any Vault secrets.
Who is affected by CVE-2022-25186?
Jenkins users running HashiCorp Vault Plugin versions 3.8.0 and earlier are affected by CVE-2022-25186.
What are the risks associated with CVE-2022-25186?
The risks of CVE-2022-25186 include potential exposure and misuse of sensitive Vault secrets by attackers controlling agent processes.
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/references
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- vendor/jenkins
- canonical/hashicorp vault
- version/hashicorp vault/3.8.0