Moderate severityNVD Advisory· Published Nov 4, 2020· Updated Aug 4, 2024

CVE-2020-2307

Description

Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access potentially sensitive Jenkins controller environment variables.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access potentially sensitive Jenkins controller environment variables.

Vulnerability

Overview

Jenkins Kubernetes Plugin version 1.27.3 and earlier contains a vulnerability that allows low-privilege users to read potentially sensitive environment variables from the Jenkins controller [1][2]. The issue lies in the substituteEnv method within PodTemplateUtils.java, which performed environment variable substitution without any access control checks [3]. This method would replace placeholders like ${VAR_NAME} with the corresponding system environment variable values, inadvertently exposing internal configuration data.

Exploitation

An attacker with only low-privilege access (e.g., a user with no administrative rights) could exploit this by crafting a job or pipeline that triggers the vulnerable code path. No authentication bypass or elevated privileges are required beyond being able to configure or run a job that interacts with the Kubernetes plugin. The vulnerability is rooted in the lack of authorization enforcement before environment variable lookup [3].

Impact

Successful exploitation allows an attacker to read environment variables from the Jenkins controller, which may contain sensitive information such as API tokens, passwords, cloud credentials, or other configuration secrets [1][4]. This could lead to further compromise of the Jenkins instance and integrated systems.

Mitigation

Jenkins has released Kubernetes Plugin version 1.27.4 which addresses this issue by making the environment variable substitution a no-op by default, requiring explicit opt-in via a system property (org.csanchez.jenkins.plugins.kubernetes.PodTemplateUtils.SUBSTITUTE_ENV=true) [1][3]. Users are strongly advised to upgrade to this version or later. No workaround is available for earlier versions without code modification.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.csanchez.jenkins.plugins:kubernetesMaven	>= 1.27.0, < 1.27.4	1.27.4
org.csanchez.jenkins.plugins:kubernetesMaven	>= 1.26.0, < 1.26.5	1.26.5
org.csanchez.jenkins.plugins:kubernetesMaven	>= 1.22.0, < 1.25.4.1	1.25.4.1
org.csanchez.jenkins.plugins:kubernetesMaven	< 1.21.6	1.21.6

Affected products

ghsa-coords
pkg:maven/org.csanchez.jenkins.plugins/kubernetes
Range: >= 1.27.0, < 1.27.4
Jenkins Project/Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugincpe-rescue
Range: unspecified

Patches

8dadc2168b10

[SECURITY-1646]

https://github.com/jenkinsci/kubernetes-pluginJesse GlickOct 29, 2020via ghsa

commit

1 file changed · +5 −13

src/main/java/org/csanchez/jenkins/plugins/kubernetes/PodTemplateUtils.java+5 −13 modified

@@ -75,6 +75,8 @@ public class PodTemplateUtils {
 
     private static final Pattern LABEL_VALIDATION = Pattern.compile("[a-zA-Z0-9]([_\\.\\-a-zA-Z0-9]*[a-zA-Z0-9])?");
 
+    private static /*nonfinal*/ boolean SUBSTITUTE_ENV = Boolean.getBoolean(PodTemplateUtils.class.getName() + ".SUBSTITUTE_ENV");
+
     /**
      * Combines a {@link ContainerTemplate} with its parent.
      * @param parent        The parent container template (nullable).
@@ -519,21 +521,11 @@ public static PodTemplate getTemplateByName(@CheckForNull String name, Collectio
      * Substitutes a placeholder with a value found in the environment.
      * @param s     The placeholder. Should be use the format: ${placeholder}.
      * @return      The substituted value if found, or the input value otherwise.
-     */
-    public static String substituteEnv(String s) {
-        return replaceMacro(s, System.getenv());
-    }
-
-    /**
-     * Substitutes a placeholder with a value found in the environment.
-     * @deprecated check if it is null or empty in the caller method, then use {@link #substituteEnv(String)}
-     * @param s             The placeholder. Should be use the format: ${placeholder}.
-     * @param defaultValue  The default value to return if no match is found.
-     * @return              The substituted value if found, or the default value otherwise.
+     * @deprecated Potentially insecure; a no-op by default.
      */
     @Deprecated
-    public static String substituteEnv(String s, String defaultValue) {
-        return substitute(s, System.getenv(), defaultValue);
+    public static String substituteEnv(String s) {
+        return SUBSTITUTE_ENV ? replaceMacro(s, System.getenv()) : s;
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-fh5w-p2j4-4p8xghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2307ghsaADVISORY
github.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2307.jsonghsaWEB
github.com/jenkinsci/kubernetes-plugin/commit/8dadc2168b108eb45c68037fa941d2594da46d79ghsaWEB
www.jenkins.io/security/advisory/2020-11-04/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-11-04
Jenkins Security Advisories · Nov 4, 2020

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000