CVE-2020-2121

HIGH8.8EPSS 1.6%

RCE vulnerability in Google Kubernetes Engine Plugin

發布日:2022/5/24修改日:2023/11/8

描述

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step. Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

受影響套件(1)

Maven/org.jenkins-ci.plugins:google-kubernetes-enginefrom 0, < 0.8.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-2121
PATCHhttps://github.com/jenkinsci/google-kubernetes-engine-plugin
WEBhttps://jenkins.io/security/advisory/2020-02-12/#SECURITY-1731
WEBhttp://www.openwall.com/lists/oss-security/2020/02/12/3