CVE-2021-21661
https://notcve.org/view.php?id=CVE-2021-21661
Jenkins Kubernetes CLI Plugin 1.10.0 and earlier does not perform permission checks in several HTTP endpoints, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Jenkins Kubernetes CLI Plugin versión 1.10.0 y anteriores no lleva a cabo comprobaciones de permisos en varios endpoints HTTP, permitiendo a atacantes con permiso Overall/Read enumerar los ID de las credenciales almacenadas en Jenkins • http://www.openwall.com/lists/oss-security/2021/06/10/14 https://www.jenkins.io/security/advisory/2021-06-10/#SECURITY-2370 •
CVE-2020-8563 – Secret leaks in logs for vSphere Provider kube-controller-manager
https://notcve.org/view.php?id=CVE-2020-8563
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3. En los clústeres de Kubernetes que utilizan VSphere como proveedor de nube, con un nivel de registro establecido en 4 o superior, las credenciales de la nube de VSphere se filtrarán en el registro del administrador del controlador de nube. Esto afecta a versiones anteriores a v1.19.3 A flaw was found in kubernetes. Clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. • https://github.com/kubernetes/kubernetes/issues/95621 https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ https://security.netapp.com/advisory/ntap-20210122-0006 https://access.redhat.com/security/cve/CVE-2020-8563 https://bugzilla.redhat.com/show_bug.cgi?id=1886635 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-2307 – jenkins-2-plugins/kubernetes: Jenkins controller environment variables are accessible in Kubernetes Plugin
https://notcve.org/view.php?id=CVE-2020-2307
Jenkins Kubernetes Plugin 1.27.3 and earlier allows low-privilege users to access possibly sensitive Jenkins controller environment variables. Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permiten a usuarios con pocos privilegios acceder a variables de entorno del controlador de Jenkins posiblemente confidenciales • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1646 https://access.redhat.com/security/cve/CVE-2020-2307 https://bugzilla.redhat.com/show_bug.cgi?id=1895945 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2020-2308 – jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows listing pod templates
https://notcve.org/view.php?id=CVE-2020-2308
A missing permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to list global pod template names. Una falta de comprobación de permisos en Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permite a atacantes con permiso Overall/Read enumerar los nombres de las plantillas pod global • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2102 https://access.redhat.com/security/cve/CVE-2020-2308 https://bugzilla.redhat.com/show_bug.cgi?id=1895946 • CWE-862: Missing Authorization •
CVE-2020-2309 – jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows enumerating credentials IDs
https://notcve.org/view.php?id=CVE-2020-2309
A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Una falta / o una incorrecta comprobación de permisos en Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permite a atacantes con permiso Overall/Read enumerar los ID de credenciales almacenadas en Jenkins • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2103 https://access.redhat.com/security/cve/CVE-2020-2309 https://bugzilla.redhat.com/show_bug.cgi?id=1895947 • CWE-862: Missing Authorization •