teilo has reported in a GitHub comment that:
https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md
There is no vulnerability in snakeyaml - it works as expected - the vulnerability is in any libraries that use it insecurely with untrusted data. The Jenkins plugin ecosystem has been checked for this usage.
There was a very good commentary on this in the snakeyaml issue tracker - but it seems the whole issue tracker has gone awol :-o
Additionally as commented above - 2.0 is potentially breaking so this needs some time to check all consumers will not break and adjust them as appropriate. In the interim - unless you are using a plugin that has not come from a supported Jenkins update center your scanner is wrong, ie check the plugins you have installed in your instance that depend on this plugin, and if any are internally written or have been installed manually then they need to be inspected.
I reduced the severity of this from Critical to Minor, since the benefit to Jenkins users is to avoid spurious warnings from security scanners, not to resolve a vulnerability.
teilo has reported in a GitHub comment that:
I reduced the severity of this from Critical to Minor, since the benefit to Jenkins users is to avoid spurious warnings from security scanners, not to resolve a vulnerability.