VYPR
← All advisories
High severityNVD Advisory· Published Apr 16, 2020· Updated Aug 4, 2024

CVE-2020-2179

CVE-2020-2179

Description

Jenkins Yaml Axis Plugin 0.2.0 and earlier lacks YAML parser type restrictions, allowing remote code execution by authenticated users able to configure a Matrix job or control SCM contents.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Yaml Axis Plugin 0.2.0 and earlier lacks YAML parser type restrictions, allowing remote code execution by authenticated users able to configure a Matrix job or control SCM contents.

Vulnerability

The Jenkins Yaml Axis Plugin, used to define build matrix axes from YAML files, does not configure its YAML parser to prevent the instantiation of arbitrary types [1][2][3]. Versions 0.2.0 and earlier are affected, meaning the parser can deserialize arbitrary Java objects, leading to remote code execution (RCE) [2][3].

Exploitation

To exploit this vulnerability, an attacker must be able to configure a multi-configuration (Matrix) project in Jenkins, or control the contents of an SCM repository used by an already-configured Matrix job [3]. The plugin parses the YAML file without restricting the types that can be instantiated, so a crafted YAML payload can trigger arbitrary object creation, resulting in code execution on the Jenkins controller [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the Jenkins controller, compromising the entire Jenkins instance and any builds or data it manages. This is rated as High severity (CVSS) due to the potential for full system compromise [3].

Mitigation

The vulnerability is fixed in Yaml Axis Plugin version 0.2.1, which configures the YAML parser to only allow safe types [2][3]. Users should update immediately. No workaround is available for earlier versions.

References
  1. NVD - CVE-2020-2179
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. Jenkins Security Advisory 2020-04-16

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:yaml-axisMaven
< 0.2.10.2.1

Affected products

2

Patches

1
346802860c68

Merge pull request #17 from jenkinsci/SECURITY-1825

https://github.com/jenkinsci/yaml-axis-pluginGO SueyoshiApr 6, 2020via ghsa
commit
3 files changed · +5 3
  • build.gradle+1 1 modified
    @@ -47,7 +47,7 @@ repositories {
 dependencies {
     // NOTE: groovy version included in Jenkins is 1.8.9
     runtime 'org.codehaus.groovy:groovy-all:1.8.9'
-    compile 'org.yaml:snakeyaml:1.16'
+    compile 'org.yaml:snakeyaml:1.26'
 
     testCompile 'org.spockframework:spock-core:0.7-groovy-1.8'
  • src/main/groovy/org/jenkinsci/plugins/yamlaxis/YamlFileLoader.groovy+2 1 modified
    @@ -3,6 +3,7 @@ import groovy.transform.TupleConstructor
 import hudson.FilePath
 import hudson.Util
 import org.yaml.snakeyaml.Yaml
+import org.yaml.snakeyaml.constructor.SafeConstructor
 
 @TupleConstructor
 class YamlFileLoader extends YamlLoader {
@@ -17,7 +18,7 @@ class YamlFileLoader extends YamlLoader {
             return null
         }
 
-        Yaml yaml = new Yaml()
+        Yaml yaml = new Yaml(new SafeConstructor())
         InputStream input = createFilePath().read()
 
         try{
  • src/main/groovy/org/jenkinsci/plugins/yamlaxis/YamlTextLoader.groovy+2 1 modified
    @@ -1,6 +1,7 @@
 package org.jenkinsci.plugins.yamlaxis
 import groovy.transform.TupleConstructor
 import org.yaml.snakeyaml.Yaml
+import org.yaml.snakeyaml.constructor.SafeConstructor
 
 @TupleConstructor
 class YamlTextLoader extends YamlLoader {
@@ -10,7 +11,7 @@ class YamlTextLoader extends YamlLoader {
 
     @Override
     Map getContent() {
-        Yaml yaml = new Yaml()
+        Yaml yaml = new Yaml(new SafeConstructor())
         yaml.load(yamlText)
     }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1