CVE-2023-24425: Exposure of system-scoped Kubernetes credentials in Jenkins Kubernetes Credentials Provider Plugin

January 26, 2023 (updated January 27, 2023)

Jenkins Kubernetes Credentials Provider Plugin 1.208.v128ee9800c04 and earlier does not set the appropriate context for Kubernetes credentials lookup, allowing attackers with Item/Configure permission to access and potentially capture Kubernetes credentials they are not entitled to.

References

github.com/advisories/GHSA-2jpx-h8j2-g8m4
nvd.nist.gov/vuln/detail/CVE-2023-24425
www.jenkins.io/security/advisory/2023-01-24/

Detect and mitigate CVE-2023-24425 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →