CVE-2023-24425 – com.cloudbees.jenkins.plugins:kubernetes-credentials-provider

Package

Manager: maven
Name: com.cloudbees.jenkins.plugins:kubernetes-credentials-provider
Vulnerable Version: >=0 <1.209.v862c6e5fb

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00158 pctl0.37195

Details

Exposure of system-scoped Kubernetes credentials in Jenkins Kubernetes Credentials Provider Plugin Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

Metadata

Created: 2023-01-26T21:30:18Z
Modified: 2023-02-03T20:46:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-2jpx-h8j2-g8m4/GHSA-2jpx-h8j2-g8m4.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-2jpx-h8j2-g8m4
Finding: F159
Auto approve: 1