Incorrect Permission Checks in Jenkins Kubernetes Plugin by Jenkins
CVE-2020-2309

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Kubernetes Plugin
Vendor: CVE Published:; 4 November 2020

Summary

An incorrect permission check in the Jenkins Kubernetes Plugin allows users with Overall/Read permission to enumerate the IDs of credentials stored in Jenkins. This vulnerability can lead to unauthorized access to sensitive information, compromising the integrity of secured credentials. The affected versions include any prior to the plugin version 1.27.4, making it critical for users to update to the latest version to ensure their systems are secure. For more details, please refer to the Jenkins security advisory.

Affected Version(s)

Jenkins Kubernetes Plugin <= 1.27.3

Jenkins Kubernetes Plugin 1.26.5

Jenkins Kubernetes Plugin 1.25.4.1

References

https://www.jenkins.io/security/advisory/2020-11-04/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2020
Vulnerability Reserved
Dec 5, 2019