PT-2020-12299 · Eclipse+1 · Eclipse Jkube+3

Dhananjay Arunesh

Published

2020-10-22

Updated

2022-05-24

CVE-2020-10721

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions fabric8-maven-plugin versions 4.0.0 and later

Description A flaw in the fabric8-maven-plugin allows for deserialization of untrusted data when using a wildfly-swarm or thorntail custom configuration with a malicious YAML configuration file, resulting in arbitrary code execution. This poses a threat to data confidentiality and integrity, as well as system availability.

Recommendations For fabric8-maven-plugin versions 4.0.0 and later, migrate to Eclipse Jkube >= 1.0.0 to resolve the issue.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2020-10721

GHSA-W7GJ-H6F2-X4C6

Affected Products

Eclipse Jkube

Thorntail

Wildfly Swarm

Fabric8-Maven-Plugin

PT-2020-12299 · Eclipse+1 · Eclipse Jkube+3

CVE-2020-10721

Weakness Enumeration

Related Identifiers

Affected Products

References · 5