Search criteria
4 vulnerabilities found for Kubernetes Java Client by Kubernetes
CVE-2021-25738 (GCVE-0-2021-25738)
Vulnerability from nvd – Published: 2021-10-11 18:55 – Updated: 2024-09-16 19:52
VLAI?
Title
Code exec via yaml parsing
Summary
Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.
Severity ?
6.7 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
v12.0.0
Affected: unspecified , ≤ v11.0.1 (custom) Affected: unspecified , ≤ v10.0.1 (custom) Affected: unspecified , ≤ v9.0.2 (custom) |
Credits
Jordy Versmissen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:27.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "v12.0.0"
},
{
"lessThanOrEqual": "v11.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v10.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v9.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jordy Versmissen"
}
],
"datePublic": "2021-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T17:06:19",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
},
"title": "Code exec via yaml parsing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-05-17T16:39:00.000Z",
"ID": "CVE-2021-25738",
"STATE": "PUBLIC",
"TITLE": "Code exec via yaml parsing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "v12.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "v11.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v10.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v9.0.2"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jordy Versmissen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1698",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2021-25738",
"datePublished": "2021-10-11T18:55:10.100025Z",
"dateReserved": "2021-01-21T00:00:00",
"dateUpdated": "2024-09-16T19:52:29.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8570 (GCVE-0-2020-8570)
Vulnerability from nvd – Published: 2021-01-21 17:09 – Updated: 2024-09-16 22:01
VLAI?
Title
Kubernetes Java client libraries unvalidated path traversal in Copy implementation
Summary
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
Severity ?
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
all versions prior to 9.0
Affected: 9.0 , < 9.0.2 (custom) Affected: 10.0 , < 10.0.1 (custom) |
Credits
Discovered via CodeQL automated scanning on GitHub
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "all versions prior to 9.0"
},
{
"lessThan": "9.0.2",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"datePublic": "2021-01-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-04T00:06:10",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
},
"title": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-01-11T23:15:00.000Z",
"ID": "CVE-2020-8570",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.2"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_value": "all versions prior to 9.0"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1491",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942@%3Ccommits.druid.apache.org%3E"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8570",
"datePublished": "2021-01-21T17:09:21.689060Z",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-09-16T22:01:55.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25738 (GCVE-0-2021-25738)
Vulnerability from cvelistv5 – Published: 2021-10-11 18:55 – Updated: 2024-09-16 19:52
VLAI?
Title
Code exec via yaml parsing
Summary
Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.
Severity ?
6.7 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
v12.0.0
Affected: unspecified , ≤ v11.0.1 (custom) Affected: unspecified , ≤ v10.0.1 (custom) Affected: unspecified , ≤ v9.0.2 (custom) |
Credits
Jordy Versmissen
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:27.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "v12.0.0"
},
{
"lessThanOrEqual": "v11.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v10.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v9.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jordy Versmissen"
}
],
"datePublic": "2021-05-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T17:06:19",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
},
"title": "Code exec via yaml parsing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-05-17T16:39:00.000Z",
"ID": "CVE-2021-25738",
"STATE": "PUBLIC",
"TITLE": "Code exec via yaml parsing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "v12.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "v11.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v10.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v9.0.2"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jordy Versmissen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1698",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2021-25738",
"datePublished": "2021-10-11T18:55:10.100025Z",
"dateReserved": "2021-01-21T00:00:00",
"dateUpdated": "2024-09-16T19:52:29.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8570 (GCVE-0-2020-8570)
Vulnerability from cvelistv5 – Published: 2021-01-21 17:09 – Updated: 2024-09-16 22:01
VLAI?
Title
Kubernetes Java client libraries unvalidated path traversal in Copy implementation
Summary
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
Severity ?
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
all versions prior to 9.0
Affected: 9.0 , < 9.0.2 (custom) Affected: 10.0 , < 10.0.1 (custom) |
Credits
Discovered via CodeQL automated scanning on GitHub
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "all versions prior to 9.0"
},
{
"lessThan": "9.0.2",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"datePublic": "2021-01-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-04T00:06:10",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
},
"title": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-01-11T23:15:00.000Z",
"ID": "CVE-2020-8570",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.2"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_value": "all versions prior to 9.0"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1491",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942@%3Ccommits.druid.apache.org%3E"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8570",
"datePublished": "2021-01-21T17:09:21.689060Z",
"dateReserved": "2020-02-03T00:00:00",
"dateUpdated": "2024-09-16T22:01:55.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}