Jenkins Kubernetes Plugin prior to 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 includes a feature to replace placeholders in pod template and container template fields with environment variable values.

This feature allows low-privilege users to access possibly sensitive Jenkins controller environment variables.

Kubernetes Plugin 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 disables this feature.

Affected Packages

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 1.27.0 (fixed in 1.27.4)

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 1.26.0 (fixed in 1.26.5)

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 1.22.0 (fixed in 1.25.4.1)

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 0 (fixed in 1.21.6)

Related CVEs

CVE-2020-2307

Key Information

GHSA ID

GHSA-fh5w-p2j4-4p8x

Published

May 24, 2022 5:33 PM

Last Modified

May 24, 2023 1:46 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.csanchez.jenkins.plugins:kubernetes

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.