CVE-2020-2121

Vulnerability: Unsafe YAML Deserialization

Jenkins Google Kubernetes Engine Plugin versions 0.8.0 and earlier fail to securely configure their YAML parser, which allows the instantiation of arbitrary Java types during deserialization [1][3]. This root cause is a classic unsafe deserialization vulnerability, where user-supplied YAML input is parsed without restrictions on the types that can be created. The plugin does not enable features like Yaml.addTypeDescription restrictions or enable the NoArgConstructor check to prevent arbitrary object creation.

Exploitation

Prerequisites

An attacker can exploit this weakness by providing a malicious YAML payload to the plugin through any channel that the plugin processes as YAML input. The attack requires the attacker to have the ability to send crafted data to an instance where the plugin is installed and used—often this can be performed by a user with access to a Jenkins job that uses the Google Kubernetes Engine build step. No authentication is strictly needed if the plugin is exposed in an unauthenticated endpoint, as per typical Jenkins configurations [2]. The vulnerability is remotely exploitable without requiring prior authentication.

Impact

Successful exploitation results in remote code execution (RCE) on the Jenkins controller [1][3]. This means an attacker can execute arbitrary commands or deploy malicious code on the server, effectively gaining full control over the Jenkins instance and any systems it manages, including Kubernetes clusters configured for deployment.

Mitigation

Jenkins has released Google Kubernetes Engine Plugin version 0.8.1, which fixes the vulnerability by configuring the YAML parser with a whitelist of allowed types [1][2]. Users are strongly advised to upgrade to the latest version immediately. No workarounds are documented; upgrading is the only effective mitigation. The vulnerability has a CVSS score of critical, reflecting the high risk of full server compromise.