GHSA-5qff-7944-vq4f

Source

https://github.com/advisories/GHSA-5qff-7944-vq4f

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5qff-7944-vq4f/GHSA-5qff-7944-vq4f.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5qff-7944-vq4f

Aliases

CVE-2020-2168

Published

2022-05-24T17:12:41Z

Modified

2023-11-08T04:02:54.469481Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

RCE vulnerability in Jenkins Azure Container Service Plugin

Details

Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Azure Container Service Plugin’s build step.

Azure Container Service Plugin 1.0.2 configures its YAML parser to only instantiate safe types.

Database specific

{
    "nvd_published_at": "2020-03-25T17:15:00Z",
    "github_reviewed_at": "2022-12-22T14:02:34Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-502"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:azure-acs

Package

Name: org.jenkins-ci.plugins:azure-acs; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/azure-acs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.2

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

1.*

1.0.0

1.0.1