Jenkins HashiCorp Vault Plugin Vulnerability

MEDIUM (4.3) No Patch (4 days)
cwe-282apachehashicorp-vault-pluginjenkinsmavenplugin-vulnerabilityrce

Threat Intelligence

Low Risk
EPSS Score: 0.03% chance of exploitation (percentile: 6%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The Jenkins HashiCorp Vault Plugin is a plugin for integrating HashiCorp's Vault with Jenkins, a popular continuous integration and continuous deployment tool. This vulnerability allows attackers to access and potentially capture sensitive credentials stored in Vault without needing specific permissions.

Am I affected?

Affected versions: 6 If you don't recognise this software, you're probably not affected.

Affected Packages

maven: org.jenkinsci.plugins[hashicorp-vault-plugin]

Affected Products

HashiCorp / HashiCorp Vault Plugin

How to fix

To fix this vulnerability, upgrade to Jenkins HashiCorp Vault Plugin version 371.v884a_4dd60fb_7 or later. You can do this by updating your jenkins-plugin.xml file with the new dependency version:

<plugin>
    <groupId>org.jenkinsci.plugins</groupId>
    <artifactId>hashicorp-vault-plugin</artifactId>
    <version>371.v884a_4dd60fb_7</version>
</plugin>

Alternatively, you can apply immediate mitigations:
- Restrict network access to your Jenkins instance (firewall it from the public internet)
- Audit plugin configurations for suspicious settings
- Monitor for unauthorized plugin activity

References