AWS SAM Plugin 1.2.2 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to configure a job or control the contents of a previously configured "AWS SAM deploy application" build stepβs YAML SAM template file (template.yaml
or equivalent) file.
AWS SAM Plugin 1.2.3 configures its YAML parser to only instantiate safe types.
CPE | Name | Operator | Version |
---|---|---|---|
io.jenkins.plugins:aws-sam | eq | 1.2.2 |