GHSA-2jpx-h8j2-g8m4

Source

https://github.com/advisories/GHSA-2jpx-h8j2-g8m4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-2jpx-h8j2-g8m4/GHSA-2jpx-h8j2-g8m4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2jpx-h8j2-g8m4

Aliases

CVE-2023-24425

Published

2023-01-26T21:30:18Z

Modified

2024-12-05T05:33:14.242349Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Exposure of system-scoped Kubernetes credentials in Jenkins Kubernetes Credentials Provider Plugin

Details

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

Database specific

{
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T01:02:39Z"
}

References

Affected packages

Maven / com.cloudbees.jenkins.plugins:kubernetes-credentials-provider

Package

Name: com.cloudbees.jenkins.plugins:kubernetes-credentials-provider; View open source insights on deps.dev
Purl: pkg:maven/com.cloudbees.jenkins.plugins/kubernetes-credentials-provider

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.209.v862c6e5fb

Affected versions

0.*

0.8

0.9

0.10

0.11

0.12

0.12.1

0.13

0.14

0.15

0.16

0.17

0.18-1

0.20

0.21

0.22

1.*

1.196.va_55f5e31e3c2

1.199.v4a_1d1f5d074f

1.201.v11b_14c7a_0772

1.206.v7ce2cf7b_0c8b

1.208.v128ee9800c04