CVE-2020-2123 — RCE vulnerability in RadarGun Plugin

描述

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step. RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

如何修補 CVE-2020-2123

要修補 CVE-2020-2123,請將受影響套件升級到下列已修補版本。

—升級至 1.8 或更新版本

CVE-2020-2123 正在被利用嗎?

低 — EPSS 為 0.8%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 1.8

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2123
PATCHgithub.com/jenkinsci/radargun-plugin
WEBgithub.com/jenkinsci/radargun-plugin/commit/63aba3b31d1a8ea140f26923eb48a25ef7f87e87
WEBjenkins.io/security/advisory/2020-02-12/#SECURITY-1733