CVE-2022-23116 - OpenCVE

Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Conjur Secrets

Configuration 1 [-]

cpe:2.3:a:jenkins:conjur_secrets:*:*:*:*:*:jenkins:*:*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/01/12/6	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2022-01-12T19:06:23

Updated: 2023-10-24T14:19:24.585Z

Reserved: 2022-01-11T00:00:00

Link: CVE-2022-23116

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-01-12T20:15:09.707

Modified: 2023-11-30T18:59:43.410

Link: CVE-2022-23116

JSON object: View

Redhat Information

No data.

CWE

CWE-311

{"containers": {"cna": {"affected": [{"product": "Jenkins Conjur Secrets Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.0.9", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "unknown", "version": "next of 1.0.9", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:19:24.585Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2022-23116", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Conjur Secrets Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.0.9"}, {"version_affected": "?>", "version_value": "1.0.9"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-693: Protection Mechanism Failure"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(1)", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20(1)"}, {"name": "[oss-security] 20220112 Multiple vulnerabilities in Jenkins and Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}]}}}}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-23116", "datePublished": "2022-01-12T19:06:23", "dateReserved": "2022-01-11T00:00:00", "dateUpdated": "2023-10-24T14:19:24.585Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:conjur_secrets:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "B0318346-90AE-48D3-B918-A26CBE89B91F", "versionEndIncluding": "1.0.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Conjur Secrets Plugin 1.0.9 and earlier implements functionality that allows attackers able to control agent processes to decrypt secrets stored in Jenkins obtained through another method."}, {"lang": "es", "value": "Jenkins Conjur Secrets Plugin versiones 1.0.9 y anteriores, implementan una funcionalidad que permite a atacantes capaces de controlar los procesos del agente descifrar los secretos almacenados en Jenkins obtenidos mediante otro m\u00e9todo"}], "id": "CVE-2022-23116", "lastModified": "2023-11-30T18:59:43.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-12T20:15:09.707", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/01/12/6"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}], "source": "nvd@nist.gov", "type": "Primary"}]}