Miggo Logo
Miggo Vulnerability Database
CVE-2020-2189

CVE-2020-2189: RCE vulnerability in SCM Filter Jervis Plugin

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2020-2189
GHSA ID
GHSA-4hhq-j3xw-wj89
EPSS Score
0.73202%
CWE
CWE-502
Published
5/24/2022
Updated
12/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
io.jenkins.plugins:scm-filter-jervismaven<= 0.2.10.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is related to the deserialization of untrusted data due to the YAML parser not being configured safely. The patch changes how the YAML parser is configured to prevent arbitrary type instantiation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*M *ilt*r J*rvis Plu*in *.*.* *n* **rli*r *o*s not *on*i*ur* its Y*ML p*rs*r to pr*v*nt t** inst*nti*tion o* *r*itr*ry typ*s. T*is r*sults in * r*mot* *o** *x**ution (R**) vuln*r**ility *xploit**l* *y us*rs **l* to *on*i*ur* jo*s wit* t** *ilt*r, or

Reasoning

T** vuln*r**ility is r*l*t** to t** **s*ri*liz*tion o* untrust** **t* *u* to t** `Y*ML` p*rs*r not **in* *on*i*ur** s***ly. T** p*t** ***n**s *ow t** `Y*ML` p*rs*r is *on*i*ur** to pr*v*nt *r*itr*ry typ* inst*nti*tion.