CVE-2022-27209

Name of the Vulnerable Software and Affected Versions Jenkins Kubernetes Continuous Deploy Plugin versions 2.3.1 and earlier

Description A missing permission check in the plugin allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. This issue affects several HTTP endpoints, which do not perform permission checks. The enumerated credentials IDs can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins Kubernetes Continuous Deploy Plugin versions 2.3.1 and earlier, consider disabling the plugin until a patch is available to prevent attackers from enumerating credentials IDs. Restrict access to the affected HTTP endpoints to minimize the risk of exploitation. Avoid using the plugin with Overall/Read permission to reduce the attack surface. At the moment, there is no information about a newer version that contains a fix for this vulnerability.