Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yanB4LWg4ajItZzhtNM4AAxJW
Exposure of system-scoped Kubernetes credentials in Jenkins Kubernetes Credentials Provider Plugin
Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.
Permalink: https://github.com/advisories/GHSA-2jpx-h8j2-g8m4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yanB4LWg4ajItZzhtNM4AAxJW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: 4 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-2jpx-h8j2-g8m4, CVE-2023-24425
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-24425
- https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3022
- https://github.com/jenkinsci/kubernetes-credentials-provider-plugin/commit/862c6e5fb1ef65968ebfa399239cbef4fff7afc6
- https://github.com/advisories/GHSA-2jpx-h8j2-g8m4
Blast Radius: 1.0
Affected Packages
maven:com.cloudbees.jenkins.plugins:kubernetes-credentials-provider
Affected Version Ranges: < 1.209.v862c6e5fbFixed in: 1.209.v862c6e5fb