CVE-2020-2309 – jenkins-2-plugins/kubernetes: Missing permission check in Kubernetes Plugin allows enumerating credentials IDs
https://notcve.org/view.php?id=CVE-2020-2309
A missing/An incorrect permission check in Jenkins Kubernetes Plugin 1.27.3 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Una falta / o una incorrecta comprobación de permisos en Jenkins Kubernetes Plugin versiones 1.27.3 y anteriores, permite a atacantes con permiso Overall/Read enumerar los ID de credenciales almacenadas en Jenkins • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-2103 https://access.redhat.com/security/cve/CVE-2020-2309 https://bugzilla.redhat.com/show_bug.cgi?id=1895947 • CWE-862: Missing Authorization •
CVE-2020-8564 – Docker config secrets leaked when file is malformed and loglevel >= 4
https://notcve.org/view.php?id=CVE-2020-8564
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. This affects < v1.19.3, < v1.18.10, < v1.17.13. En los clústeres de Kubernetes que usan un nivel de registro de al menos 4, el procesamiento de un archivo de configuración de docker malformado dará como resultado la filtración del contenido del archivo de configuración de docker, que puede incluir secretos de extracción u otras credenciales de registro. Esto afecta versiones anteriores a v1.19.3, versiones anteriores a v1.18.10, versiones anteriores a v1.17.13 A flaw was found in kubernetes. In Kubernetes, if the logging level is to at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. • https://github.com/kubernetes/kubernetes/issues/95622 https://groups.google.com/g/kubernetes-security-discuss/c/vm-HcrFUOCs/m/36utxAM5CwAJ https://security.netapp.com/advisory/ntap-20210122-0006 https://access.redhat.com/security/cve/CVE-2020-8564 https://bugzilla.redhat.com/show_bug.cgi?id=1886637 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •