CVE-2020-2121 — RCE vulnerability in Google Kubernetes Engine Plugin

Description

Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step. Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.

How to fix CVE-2020-2121

To remediate CVE-2020-2121, upgrade the affected package to a fixed version below.

—upgrade to 0.8.1 or later

Is CVE-2020-2121 being exploited?

Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2121
PATCHgithub.com/jenkinsci/google-kubernetes-engine-plugin
WEBjenkins.io/security/advisory/2020-02-12/#SECURITY-1731
WEBwww.openwall.com/lists/oss-security/2020/02/12/3