Bug 1827201 (CVE-2020-10721) - CVE-2020-10721 fabric8-maven-plugin: insecure way to construct Yaml Object leading to remote code execution
Summary: CVE-2020-10721 fabric8-maven-plugin: insecure way to construct Yaml Object le...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-10721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1821749
TreeView+ depends on / blocked
 
Reported: 2020-04-23 12:23 UTC by Dhananjay Arunesh
Modified: 2021-02-16 20:14 UTC (History)
10 users (show)

Fixed In Version: jkube-1.0.0
Clone Of:
Environment:
Last Closed: 2020-10-20 20:21:14 UTC
Embargoed:

Attachments (Terms of Use)

Description Dhananjay Arunesh 2020-04-23 12:23:55 UTC 
A vulnerability was found in fabric8io/fabric8-maven-plugin in YamlUtil.java  where an insecure way to construct Yaml Object leading to remote code execution.
Comment 3 Jonathan Christison 2020-04-29 08:46:09 UTC 
Acknowledgments:

Name: Srikanth Ramu
Comment 5 Jonathan Christison 2020-10-20 17:48:12 UTC 
Statement:

As this vulnerability is only present in community versions of the fabric8 maven plugin (4.0.0 and later) and has since been superseded by the Eclipse project JKube we would recommend any users of the fabric8-maven-plugin migrate to [JKube](https://www.eclipse.org/jkube/) there is a migration guide available [here](https://www.eclipse.org/jkube/docs/migration-guide/) to assist with this.
Comment 6 Product Security DevOps Team 2020-10-20 20:21:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10721
Note You need to log in before you can comment on or make changes to this bug.