[JENKINS:SECURITY-1731] RCE vulnerability in `google-kubernetes-engine`

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

google-kubernetes-engine 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types.
This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to google-kubernetes-engine's build step.

google-kubernetes-engine 0.8.1 configures its YAML parser to only instantiate safe types.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/google-kubernetes-engine	<= 0.8.0
pkg:github/jenkinsci/google-kubernetes-engine-plugin	<= 0.8.0

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/google-kubernetes-engine	= 0.8.1
pkg:github/jenkinsci/google-kubernetes-engine-plugin	= 0.8.1

ID

JENKINS:SECURITY-1731

Severity

high

Published

2020-02-12T00:00:00
(4 years ago)

Modified

2020-02-12T00:00:00
(4 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-WF76-QGQQ-GCFJ

Source	# ID	Name	URL
Plugin repository		google-kubernetes-engine repository	https://github.com/jenkinsci/google-kubernetes-engine-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/google-kubernetes-engine	org.jenkins-ci.plugins	google-kubernetes-engine	<= 0.8.0
Fixed	pkg:maven/org.jenkins-ci.plugins/google-kubernetes-engine	org.jenkins-ci.plugins	google-kubernetes-engine	= 0.8.1
Affected	pkg:github/jenkinsci/google-kubernetes-engine-plugin	jenkinsci	google-kubernetes-engine-plugin	<= 0.8.0
Fixed	pkg:github/jenkinsci/google-kubernetes-engine-plugin	jenkinsci	google-kubernetes-engine-plugin	= 0.8.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date