Azure Container Service Plugin 1.0.1 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Azure Container Service Plugin’s build step.

Azure Container Service Plugin 1.0.2 configures its YAML parser to only instantiate safe types.

Affected Packages

Maven org.jenkins-ci.plugins:azure-acs

Affected versions: 0 (fixed in 1.0.2)

Related CVEs

CVE-2020-2168

Key Information

GHSA ID

GHSA-5qff-7944-vq4f

Published

May 24, 2022 5:12 PM

Last Modified

December 22, 2022 2:02 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:azure-acs

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.