RCE vulnerability in Google Kubernetes Engine Plugin
High severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Jan 30, 2023
Package
Affected versions
< 0.8.1
Patched versions
0.8.1
Description
Published by the National Vulnerability Database
Feb 12, 2020
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Jan 14, 2023
Last updated
Jan 30, 2023
Google Kubernetes Engine Plugin 0.8.0 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution vulnerability exploitable by users able to provide YAML input files to Google Kubernetes Engine Plugin’s build step.
Google Kubernetes Engine Plugin 0.8.1 configures its YAML parser to only instantiate safe types.
References