Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types. This results in a remote code execution (RCE) vulnerability exploitable by users able to provide YAML input files to Pipeline: AWS Steps Plugin’s build steps.

Pipeline: AWS Steps Plugin 1.41 configures its YAML parser to only instantiate safe types.

Affected Packages

Maven de.taimos:pipeline-aws

Affected versions: 0 (fixed in 1.41)

Related CVEs

CVE-2020-2166

Key Information

GHSA ID

GHSA-w598-25hm-jqx3

Published

May 24, 2022 5:12 PM

Last Modified

December 22, 2022 2:00 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

de.taimos:pipeline-aws

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.