[MAVEN:GHSA-QRM8-CW73-R9W8] RCE vulnerability in Jenkins AWS SAM Plugin

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a job or control the contents of a previously configured "AWS SAM deploy application" build step’s YAML SAM template file (template.yaml or equivalent) file.

AWS SAM Plugin 1.2.3 configures its YAML parser to only instantiate safe types.

Package	Affected Version
pkg:maven/io.jenkins.plugins/aws-sam	<= 1.2.2

Package	Fixed Version
pkg:maven/io.jenkins.plugins/aws-sam	= 1.2.3

ID

MAVEN:GHSA-QRM8-CW73-R9W8

Severity

high

URL

https://github.com/advisories/GHSA-qrm8-cw73-r9w8

Published

2022-05-24T17:15:35
(2 years ago)

Modified

2023-12-06T21:10:13
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-1736

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2020-2180
			https://jenkins.io/security/advisory/2020-04-16/#SECURITY-1736
			http://www.openwall.com/lists/oss-security/2020/04/16/4
			https://github.com/jenkinsci/aws-sam-plugin/commit/6ddcb029638b5af05df701a11139d6a6c015ab7e
			https://github.com/advisories/GHSA-qrm8-cw73-r9w8

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/io.jenkins.plugins/aws-sam	io.jenkins.plugins	aws-sam	<= 1.2.2
Fixed	pkg:maven/io.jenkins.plugins/aws-sam	io.jenkins.plugins	aws-sam	= 1.2.3

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date