CVE-2022-25186: Agent-to-controller security bypass in Jenkins HashiCorp Vault Plugin
3.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.69182%
CWE
Published
2/16/2022
Updated
2/3/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
com.datapipe.jenkins.plugins:hashicorp-vault-plugin | maven | <= 3.8.0 | 336.v182c0fbaaeb7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from agent processes being able to directly request Vault secrets. Jenkins plugins typically implement agent-controller communication via RPC, where agent-side stubs call controller-side methods. The advisory indicates the patched version removed this functionality, suggesting the vulnerable functions were controller-side secret retrieval methods that: 1) Accepted arbitrary path/key parameters from agents 2) Lacked proper authorization checks 3) Were part of the Vault integration logic. The high-confidence entry reflects core secret retrieval plumbing, while the medium-confidence entry represents a deeper implementation detail inferred from typical plugin architecture.