Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functionality that allows agent processes to retrieve any Vault secrets for use on the agent, allowing attackers able to control agent processes to obtain Vault secrets for an attacker-specified path and key.

Affected Packages

Maven com.datapipe.jenkins.plugins:hashicorp-vault-plugin

Affected versions: 0 (fixed in 336.v182c0fbaaeb7)

Related CVEs

CVE-2022-25186

Key Information

GHSA ID

GHSA-fm6q-97gw-c4wh

Published

February 16, 2022 12:01 AM

Last Modified

December 1, 2022 11:35 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

com.datapipe.jenkins.plugins:hashicorp-vault-plugin

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.