GHSA-wf76-qgqq-gcfj

Source

https://github.com/advisories/GHSA-wf76-qgqq-gcfj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wf76-qgqq-gcfj/GHSA-wf76-qgqq-gcfj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wf76-qgqq-gcfj

Aliases

CVE-2020-2121

Published

2022-05-24T17:08:47Z

Modified

2023-11-08T04:02:51.172662Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

RCE vulnerability in Google Kubernetes Engine Plugin

Details

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.

Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

Database specific

{
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "github_reviewed_at": "2023-01-14T05:27:29Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:google-kubernetes-engine

Package

Name: org.jenkins-ci.plugins:google-kubernetes-engine; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/google-kubernetes-engine

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.8.1

Affected versions

0.*

0.2.0

0.4.0

0.5.0

0.6.0

0.6.1

0.6.2

0.6.3

0.7.0

0.7.1

0.8.0