CVE-2023-33001
https://notcve.org/view.php?id=CVE-2023-33001
Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3077 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2022-36888
https://notcve.org/view.php?id=CVE-2022-36888
A missing permission check in Jenkins HashiCorp Vault Plugin 354.vdb_858fd6b_f48 and earlier allows attackers with Overall/Read permission to obtain credentials stored in Vault with attacker-specified path and keys. Una falta de comprobación de permisos en Jenkins HashiCorp Vault Plugin versiones 354.vdb_858fd6b_f48 y anteriores, permite a atacantes con permiso Overall/Read obtener credenciales almacenadas en Vault con la ruta y las claves especificadas por el atacante • http://www.openwall.com/lists/oss-security/2022/07/27/1 https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2593 • CWE-862: Missing Authorization •
CVE-2022-25197
https://notcve.org/view.php?id=CVE-2022-25197
Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system. Jenkins HashiCorp Vault Plugin versiones 336.v182c0fbaaeb7 y anteriores, implementan una funcionalidad que permite a procesos del agente leer archivos arbitrarios en el sistema de archivos del controlador Jenkins • https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2521 •
CVE-2022-25186
https://notcve.org/view.php?id=CVE-2022-25186
Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key. Jenkins HashiCorp Vault Plugin versiones 3.8.0 y anteriores, implementan una funcionalidad que permite a procesos del agente recuperar cualquier secreto de Vault para usarlo en el agente, permitiendo a atacantes capaces de controlar los procesos del agente obtener secretos de Vault para una ruta y clave especificadas por el atacante • https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2429 •
CVE-2022-23109
https://notcve.org/view.php?id=CVE-2022-23109
Jenkins HashiCorp Vault Plugin 3.7.0 and earlier does not mask Vault credentials in Pipeline build logs or in Pipeline step descriptions when Pipeline: Groovy Plugin 2.85 or later is installed. El plugin Jenkins HashiCorp Vault versiones 3.7.0 y anteriores, no enmascara las credenciales de Vault en los registros de construcción de Pipeline o en las descripciones de los pasos de Pipeline cuando Pipeline: Groovy Plugin versión 2.85 o posterior es instalado • http://www.openwall.com/lists/oss-security/2022/01/12/6 https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2213 • CWE-522: Insufficiently Protected Credentials •