OpenShift Pipeline Plugin 1.0.56 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to OpenShift Pipeline Plugin’s build step. OpenShift Pipeline Plugin 1.0.57 configures its YAML parser to only instantiate safe types.

Affected Packages

Maven com.openshift.jenkins:openshift-pipeline

Affected versions: 0 (fixed in 1.0.57)

Related CVEs

CVE-2020-2167

Key Information

GHSA ID

GHSA-264w-xrr7-6qqg

Published

May 24, 2022 5:12 PM

Last Modified

October 26, 2023 9:51 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.openshift.jenkins:openshift-pipeline

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.