CVE-2020-2211

CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

8.8HIGH

EPSS

0.8%

top 25.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Elasticbox Jenkins Kubernetes Ci/cd Plugin Jenkins Kubernetes CI

Timeline

PublishedJul 2

Latest updateMay 24

Description

Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavencom.elasticbox.jenkins-ci.plugins:kubernetes-ci1.3

▶CVEListV5jenkins_project/jenkins_elasticbox_jenkins_kubernetes_ci/cd_pluginunspecified — 1.3

▶NVDjenkins/kubernetes_ci1.3

🔴Vulnerability Details

GHSA

RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin↗2022-05-24

▶

OSV

RCE vulnerability in ElasticBox Jenkins Kubernetes CI/CD Plugin↗2022-05-24

▶

CVEList

CVE-2020-2211: Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1↗2020-07-02

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-07-02↗2020-07-02

▶