GSA_kwCzR0hTQS03MjNwLTlyY2oteHY4as4AAjkq

High EPSS: 0.00807% (0.73422 Percentile) EPSS:

Permalink JSON

RCE vulnerability in RadarGun Plugin

Affected Packages	Affected Versions	Fixed Versions
maven:org.jenkins-ci.plugins:radargun	< 1.8	1.8

RadarGun Plugin 1.7 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to configure RadarGun Plugin’s build step.

RadarGun Plugin 1.8 configures its YAML parser to only instantiate safe types.

References:

https://nvd.nist.gov/vuln/detail/CVE-2020-2123
https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1733
http://www.openwall.com/lists/oss-security/2020/02/12/3
https://github.com/jenkinsci/radargun-plugin/commit/63aba3b31d1a8ea140f26923eb48a25ef7f87e87
https://github.com/advisories/GHSA-723p-9rcj-xv8j

Identifiers

GHSA-723p-9rcj-xv8j

CVE-2020-2123

Risk

Severity

High

EPSS

EPSS Percentage: 0.00807

EPSS Percentile: 0.73422

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/radargun-plugin

Date and time

Published

over 3 years ago

Updated

3 days ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories