Description
Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1741
Related Vulnerabilities
CVE-2021-29425 Vulnerability in maven package commons-io:commons-io
CVE-2019-15608 Vulnerability in maven package org.webjars.npm:yarn
CVE-2022-24999 Vulnerability in npm package qs
CVE-2022-48285 Vulnerability in maven package org.webjars.npm:jszip
CVE-2023-30522 Vulnerability in maven package org.jenkins-ci.plugins:fogbugz