GitHub Advisory DatabaseGHSA-FH5W-P2J4-4P8XExposure of Sensitive Information to an Unauthorized Actor in Jenkins Kubernetes Plugin
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
20.7%
Jenkins Kubernetes Plugin prior to 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 includes a feature to replace placeholders in pod template and container template fields with environment variable values.
This feature allows low-privilege users to access possibly sensitive Jenkins controller environment variables.
Kubernetes Plugin 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 disables this feature.
References
github.com/advisories/GHSA-fh5w-p2j4-4p8x
github.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2307.json
github.com/jenkinsci/kubernetes-plugin/commit/8dadc2168b108eb45c68037fa941d2594da46d79
nvd.nist.gov/vuln/detail/CVE-2020-2307
www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1646
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
20.7%