Insufficient Permission Verification in Jenkins Kubernetes Plugin by CloudBees
CVE-2020-2308

4.3MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Kubernetes Plugin
Vendor
CVE Published:
4 November 2020

Summary

The Jenkins Kubernetes Plugin prior to version 1.27.4 exhibits a vulnerability due to inadequate permission checks. This flaw allows attackers who possess Overall/Read permissions to enumerate global pod template names, potentially exposing sensitive operational configurations. Users are advised to update to the latest version to mitigate the risks associated with this vulnerability.

Affected Version(s)

Jenkins Kubernetes Plugin 1.27.1

Jenkins Kubernetes Plugin <= 1.27.3

Jenkins Kubernetes Plugin 1.26.5

References

https://www.jenkins.io/security/advisory/2020-11-04/#SECU...
x_refsource_CONFIRM

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.