CVE-2020-2309
Description
Jenkins Kubernetes Plugin 1.27.3 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Kubernetes Plugin 1.27.3 and earlier lacks a permission check, allowing attackers with Overall/Read to enumerate credential IDs.
Vulnerability
The Jenkins Kubernetes Plugin, used to dynamically provision agents in Kubernetes clusters, contains a missing permission check in versions 1.27.3 and earlier. This flaw allows an attacker with only the Overall/Read permission to enumerate credential IDs stored in Jenkins [2][3]. The root cause is that the plugin does not properly verify that the user has the necessary permissions (e.g., Credentials/View) before exposing credential identifiers.
Exploitation
An attacker must have at least Overall/Read access to the Jenkins instance, which is a low-privilege permission often granted to many users. No other authentication or network position is required beyond being able to access the Jenkins web interface. The attacker can then use the plugin's API or UI to list credential IDs without needing to know the actual credential values [2].
Impact
Successful exploitation results in the disclosure of credential IDs, which are unique identifiers for stored credentials (e.g., usernames, API tokens, SSH keys). While the actual secret values are not exposed, knowledge of credential IDs can aid an attacker in crafting further attacks, such as attempting to use those credentials in other contexts or targeting specific credentials for theft via other vulnerabilities [2][3].
Mitigation
The vulnerability is fixed in Jenkins Kubernetes Plugin version 1.27.4 and later. Users should upgrade to the latest version. No workaround is available; the only mitigation is to apply the update [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.csanchez.jenkins.plugins:kubernetesMaven | >= 1.27.0, < 1.27.4 | 1.27.4 |
org.csanchez.jenkins.plugins:kubernetesMaven | >= 1.26.0, < 1.26.5 | 1.26.5 |
org.csanchez.jenkins.plugins:kubernetesMaven | >= 1.22.0, < 1.25.4.1 | 1.25.4.1 |
org.csanchez.jenkins.plugins:kubernetesMaven | < 1.21.6 | 1.21.6 |
Affected products
2- Range: unspecified
Patches
1f26130149c48[SECURITY-2103]
1 file changed · +7 −1
src/main/java/org/csanchez/jenkins/plugins/kubernetes/KubectlBuildWrapper.java+7 −1 modified@@ -19,6 +19,7 @@ import hudson.tasks.BuildWrapperDescriptor; import hudson.util.ListBoxModel; import jenkins.authentication.tokens.api.AuthenticationTokens; +import jenkins.model.Jenkins; import jenkins.tasks.SimpleBuildWrapper; import org.jenkinsci.Symbol; import org.jenkinsci.plugins.kubernetes.auth.KubernetesAuthConfig; @@ -126,7 +127,12 @@ public String getDisplayName() { return "Setup Kubernetes CLI (kubectl)"; } - public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item, @QueryParameter String serverUrl) { + public ListBoxModel doFillCredentialsIdItems(@AncestorInPath Item item, @QueryParameter String serverUrl, @QueryParameter String credentialsId) { + if (item == null + ? !Jenkins.get().hasPermission(Jenkins.ADMINISTER) + : !item.hasPermission(Item.EXTENDED_READ)) { + return new StandardListBoxModel().includeCurrentValue(credentialsId); + } StandardListBoxModel result = new StandardListBoxModel(); result.includeEmptyValue(); result.includeMatchingAs(
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g2r3-4g8q-h5rjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2309ghsaADVISORY
- github.com/CVEProject/cvelist/blob/381fe967666a5ce01625a7a050427aa4757e3ca6/2020/2xxx/CVE-2020-2309.jsonghsaWEB
- github.com/jenkinsci/kubernetes-plugin/commit/f26130149c487b1ef8ece9b7b881739c2f8c6736ghsaWEB
- www.jenkins.io/security/advisory/2020-11-04/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-11-04Jenkins Security Advisories · Nov 4, 2020