GHSA-rr6j-37cv-c7x7

GitHub Security Advisory

Missing Authorization in Jenkins Kubernetes Plugin

✓ GitHub Reviewed MODERATE Has CVE

Jenkins Kubernetes Plugin prior to 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 does not perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to list global pod template names.

Kubernetes Plugin 1.27.4, 1.26.5, 1.25.4.1, and 1.21.6 requires Overall/Administer permission to list global pod template names.

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 1.27.1 (fixed in 1.27.4)

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 1.26.0 (fixed in 1.26.5)

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 1.22.0 (fixed in 1.25.4.1)

Maven org.csanchez.jenkins.plugins:kubernetes

Affected versions: 0 (fixed in 1.21.6)

CVE-2020-2308

GHSA ID

GHSA-rr6j-37cv-c7x7

Published

May 24, 2022 5:33 PM

Last Modified

May 24, 2023 1:49 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.csanchez.jenkins.plugins:kubernetes

GitHub Reviewed

✓ Yes

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.