CVE-2022-23116 – This vulnerability in Jenkins Conjur Secrets Pl... (How to Fix)

Q: What is the severity of CVE-2022-23116?

CVE-2022-23116 has a CVSS score of 7.5 (HIGH). This vulnerability in Jenkins Conjur Secrets Plugin allows attackers who control Jenkins agent processes to decrypt secrets stored in Jenkins that were obtained through other means. It affects Jenkins instances using Conjur Secrets Plugin version 1.0.9 or earlier. Attackers need existing access to agent processes to exploit this flaw.

📋 TL;DR

This vulnerability in Jenkins Conjur Secrets Plugin allows attackers who control Jenkins agent processes to decrypt secrets stored in Jenkins that were obtained through other means. It affects Jenkins instances using Conjur Secrets Plugin version 1.0.9 or earlier. Attackers need existing access to agent processes to exploit this flaw.

💻 Affected Systems

Products:

Jenkins Conjur Secrets Plugin

Versions: 1.0.9 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Jenkins instances using Conjur Secrets Plugin. Requires attacker control of agent processes.

📦 What is this software?

Conjur Secrets by Jenkins

View all CVEs affecting Conjur Secrets →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with agent control could decrypt all Jenkins secrets, potentially compromising credentials, API keys, and sensitive configuration data stored in Jenkins.

🟠

Likely Case

Malicious or compromised agents could access secrets they shouldn't have permission to view, leading to lateral movement or data exfiltration.

🟢

If Mitigated

With proper agent security controls and network segmentation, impact is limited to secrets accessible to already-compromised agents.

🌐 Internet-Facing: MEDIUM - Internet-facing Jenkins instances with exposed agents could be targeted, but attackers need agent control first.

🏢 Internal Only: HIGH - Internal attackers or malware with agent access could exploit this to escalate privileges and access sensitive secrets.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires existing access to Jenkins agent processes. Not directly exploitable from network.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.10 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29

Restart Required: Yes

Instructions:

1. Update Jenkins Conjur Secrets Plugin to version 1.0.10 or later via Jenkins Plugin Manager. 2. Restart Jenkins after plugin update. 3. Verify plugin version in Manage Jenkins > Manage Plugins.

🔧 Temporary Workarounds

Restrict Agent Access

all

Limit which agents can access sensitive secrets by configuring agent permissions and job restrictions.

Network Segmentation

all

Isolate Jenkins agents from sensitive systems and implement strict network controls.

🧯 If You Can't Patch

Implement strict agent security controls and monitor agent activity
Rotate all secrets stored in Jenkins and implement secret management best practices

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Conjur Secrets Plugin version. If version is 1.0.9 or earlier, system is vulnerable.

Check Version:

Check via Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab, or check JENKINS_HOME/plugins/conjur-credentials.jpi/META-INF/MANIFEST.MF

Verify Fix Applied:

Verify Conjur Secrets Plugin version is 1.0.10 or later in Jenkins plugin manager.

📡 Detection & Monitoring

Log Indicators:

Unusual secret access patterns from agents
Agent processes accessing decryption functions unexpectedly

Network Indicators:

Agents making unexpected connections to secret storage systems

SIEM Query:

source="jenkins.log" AND ("conjur" OR "secret" OR "decrypt") AND agent_process="*"

📊 Metadata

CVE ID: CVE-2022-23116

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-311

Published: January 12, 2022

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2022/01/12/6 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29 Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/01/12/6 Mailing List,Third Party Advisory
https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2522%20%281%29 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23116, you might also want to check these: