PT-2020-15537 · Jenkins · Jenkins Kubernetes Plugin+1
Published
2020-11-04
·
Updated
2023-10-25
·
CVE-2020-2307
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Kubernetes Plugin versions 1.27.3 and earlier
Jenkins Kubernetes Plugin versions prior to 1.27.4
Jenkins Kubernetes Plugin versions prior to 1.26.5
Jenkins Kubernetes Plugin versions prior to 1.25.4.1
Jenkins Kubernetes Plugin versions prior to 1.21.6
Description
The issue allows low-privilege users to access possibly sensitive Jenkins controller environment variables due to a feature that replaces placeholders in pod template and container template fields with environment variable values.
Recommendations
For Jenkins Kubernetes Plugin version 1.27.3 and earlier, update to version 1.27.4 or later.
For Jenkins Kubernetes Plugin versions prior to 1.26.5, update to version 1.26.5 or later.
For Jenkins Kubernetes Plugin versions prior to 1.25.4.1, update to version 1.25.4.1 or later.
For Jenkins Kubernetes Plugin versions prior to 1.21.6, update to version 1.21.6 or later.
As a temporary workaround, consider disabling the feature to replace placeholders in pod template and container template fields with environment variable values until a patch is available.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Kubernetes Plugin