Miggo Logo
Miggo Vulnerability Database
CVE-2020-2121

CVE-2020-2121:
RCE vulnerability in Google Kubernetes Engine Plugin

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2121
GHSA ID
GHSA-wf76-qgqq-gcfj
EPSS Score
0.83167%
CWE
CWE-502
Published
5/24/2022
Updated
1/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:google-kubernetes-enginemaven< 0.8.10.8.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsafe YAML deserialization. The advisory explicitly states the parser wasn't restricted to safe types. In Java/YAML ecosystems (e.g., SnakeYAML), this typically manifests when using Yaml.load() without a restricted constructor. The KubernetesEngineBuilder class would logically handle YAML input during build steps, and the patch in 0.8.1 would have added a type-safe constructor configuration here. While exact method names aren't visible without code diffs, the pattern matches CWE-502 exploitation vectors in YAML parsing contexts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oo*l* Ku**rn*t*s *n*in* Plu*in *.*.* *n* **rli*r *o*s not *on*i*ur* its Y*ML p*rs*r to pr*v*nt t** inst*nti*tion o* *r*itr*ry typ*s. T*is r*sults in * r*mot* *o** *x**ution vuln*r**ility *xploit**l* *y us*rs **l* to provi** Y*ML input *il*s to *oo*l

Reasoning

T** vuln*r**ility st*ms *rom uns*** Y*ML **s*ri*liz*tion. T** **visory *xpli*itly st*t*s t** p*rs*r w*sn't r*stri*t** to s*** typ*s. In J*v*/Y*ML **osyst*ms (*.*., `Sn*k*Y*ML`), t*is typi**lly m*ni**sts w**n usin* `Y*ml.lo**()` wit*out * r*stri*t** *