RCE vulnerability in Jenkins AWS SAM Plugin

🗓️ 24 May 2022 17:15:35Reported by GitHub Advisory DatabaseType

RCE vulnerability in Jenkins AWS SAM Plugin AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a job or control the contents of a previously configured "AWS SAM deploy application" build step’s YAML SAM template file (`template.yaml` or equivalent) file. AWS SAM Plugin 1.2.3 configures its YAML parser to only instantiate safe types

Reporter	Title	Published	Views	Family All 9
CNVD	CloudBees Jenkins AWS SAM Plugin Code Issue Vulnerability	17 Apr 202000:00	–	cnvd
CVE	CVE-2020-2180	16 Apr 202013:35	–	cve
Cvelist	CVE-2020-2180	16 Apr 202013:35	–	cvelist
EUVD	EUVD-2022-5028	3 Oct 202520:07	–	euvd
NVD	CVE-2020-2180	16 Apr 202019:15	–	nvd
OSV	GHSA-QRM8-CW73-R9W8 RCE vulnerability in Jenkins AWS SAM Plugin	24 May 202217:15	–	osv
Prion	Remote code execution	16 Apr 202019:15	–	prion
Positive Technologies	PT-2020-15393 · Jenkins · Jenkins Aws Sam Plugin +1	16 Apr 202000:00	–	ptsecurity
RedhatCVE	CVE-2020-2180	22 May 202516:07	–	redhatcve

Vulners

Node

io.jenkins.plugins aws-samRange≤1.2.2maven

Source	Link
nvd	www.nvd.nist.gov/vuln/detail/CVE-2020-2180
jenkins	www.jenkins.io/security/advisory/2020-04-16/
openwall	www.openwall.com/lists/oss-security/2020/04/16/4
github	www.github.com/jenkinsci/aws-sam-plugin/commit/6ddcb029638b5af05df701a11139d6a6c015ab7e
github	www.github.com/advisories/GHSA-qrm8-cw73-r9w8

06 Dec 2023 21:10Current

8.9High risk

Vulners AI Score8.9

CVSS 26.5

CVSS 3.18.8

EPSS0.00807

CWE-502