Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities found for java by kubernetes
CVE-2021-25738 (GCVE-0-2021-25738)
Vulnerability from cvelistv5 – Published: 2021-10-11 18:55 – Updated: 2024-09-16 19:52
VLAI
Title
Code exec via yaml parsing
Summary
Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.
Severity
6.7 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/kubernetes-security-a… | x_refsource_MISC |
| https://github.com/kubernetes-client/java/issues/1698 | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/08/23/2 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
v12.0.0
Affected: unspecified , ≤ v11.0.1 (custom) Affected: unspecified , ≤ v10.0.1 (custom) Affected: unspecified , ≤ v9.0.2 (custom) |
Date Public
2021-05-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:27.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "v12.0.0"
},
{
"lessThanOrEqual": "v11.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v10.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v9.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jordy Versmissen"
}
],
"datePublic": "2021-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T17:06:19.000Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
},
"title": "Code exec via yaml parsing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-05-17T16:39:00.000Z",
"ID": "CVE-2021-25738",
"STATE": "PUBLIC",
"TITLE": "Code exec via yaml parsing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "v12.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "v11.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v10.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v9.0.2"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jordy Versmissen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1698",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2021-25738",
"datePublished": "2021-10-11T18:55:10.100Z",
"dateReserved": "2021-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:52:29.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8570 (GCVE-0-2020-8570)
Vulnerability from cvelistv5 – Published: 2021-01-21 17:09 – Updated: 2024-09-16 22:01
VLAI
Title
Kubernetes Java client libraries unvalidated path traversal in Copy implementation
Summary
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
Severity
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/kubernetes-security-a… | x_refsource_MISC |
| https://github.com/kubernetes-client/java/issues/1491 | x_refsource_MISC |
| https://lists.apache.org/thread.html/rcafa485d635… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r0c76b3d0be3… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rdb223e1b82e… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r1975078e44d… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
all versions prior to 9.0
Affected: 9.0 , < 9.0.2 (custom) Affected: 10.0 , < 10.0.1 (custom) |
Date Public
2021-01-11 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "all versions prior to 9.0"
},
{
"lessThan": "9.0.2",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"datePublic": "2021-01-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-04T00:06:10.000Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
},
"title": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-01-11T23:15:00.000Z",
"ID": "CVE-2020-8570",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.2"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_value": "all versions prior to 9.0"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1491",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942@%3Ccommits.druid.apache.org%3E"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8570",
"datePublished": "2021-01-21T17:09:21.689Z",
"dateReserved": "2020-02-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:01:55.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-25738 (GCVE-0-2021-25738)
Vulnerability from nvd – Published: 2021-10-11 18:55 – Updated: 2024-09-16 19:52
VLAI
Title
Code exec via yaml parsing
Summary
Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.
Severity
6.7 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/kubernetes-security-a… | x_refsource_MISC |
| https://github.com/kubernetes-client/java/issues/1698 | x_refsource_MISC |
| http://www.openwall.com/lists/oss-security/2022/08/23/2 | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
v12.0.0
Affected: unspecified , ≤ v11.0.1 (custom) Affected: unspecified , ≤ v10.0.1 (custom) Affected: unspecified , ≤ v9.0.2 (custom) |
Date Public
2021-05-17 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T20:11:27.820Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "v12.0.0"
},
{
"lessThanOrEqual": "v11.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v10.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "v9.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jordy Versmissen"
}
],
"datePublic": "2021-05-17T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-23T17:06:19.000Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
},
"title": "Code exec via yaml parsing",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-05-17T16:39:00.000Z",
"ID": "CVE-2021-25738",
"STATE": "PUBLIC",
"TITLE": "Code exec via yaml parsing"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "v12.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "v11.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v10.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "v9.0.2"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Jordy Versmissen"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1698",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1698"
},
{
"name": "[oss-security] 20220823 Multiple vulnerabilities in Jenkins plugins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/08/23/2"
}
]
},
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1698"
],
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2021-25738",
"datePublished": "2021-10-11T18:55:10.100Z",
"dateReserved": "2021-01-21T00:00:00.000Z",
"dateUpdated": "2024-09-16T19:52:29.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-8570 (GCVE-0-2020-8570)
Vulnerability from nvd – Published: 2021-01-21 17:09 – Updated: 2024-09-16 22:01
VLAI
Title
Kubernetes Java client libraries unvalidated path traversal in Copy implementation
Summary
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
Severity
No CVSS data available.
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://groups.google.com/g/kubernetes-security-a… | x_refsource_MISC |
| https://github.com/kubernetes-client/java/issues/1491 | x_refsource_MISC |
| https://lists.apache.org/thread.html/rcafa485d635… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r0c76b3d0be3… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/rdb223e1b82e… | mailing-listx_refsource_MLIST |
| https://lists.apache.org/thread.html/r1975078e44d… | mailing-listx_refsource_MLIST |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Kubernetes | Kubernetes Java Client |
Affected:
all versions prior to 9.0
Affected: 9.0 , < 9.0.2 (custom) Affected: 10.0 , < 10.0.1 (custom) |
Date Public
2021-01-11 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:03:46.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Kubernetes Java Client",
"vendor": "Kubernetes",
"versions": [
{
"status": "affected",
"version": "all versions prior to 9.0"
},
{
"lessThan": "9.0.2",
"status": "affected",
"version": "9.0",
"versionType": "custom"
},
{
"lessThan": "10.0.1",
"status": "affected",
"version": "10.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"datePublic": "2021-01-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-04T00:06:10.000Z",
"orgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"shortName": "kubernetes"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
},
"title": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@kubernetes.io",
"DATE_PUBLIC": "2021-01-11T23:15:00.000Z",
"ID": "CVE-2020-8570",
"STATE": "PUBLIC",
"TITLE": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Kubernetes Java Client",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.0",
"version_value": "9.0.2"
},
{
"version_affected": "\u003c",
"version_name": "10.0",
"version_value": "10.0.1"
},
{
"version_value": "all versions prior to 9.0"
}
]
}
}
]
},
"vendor_name": "Kubernetes"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Discovered via CodeQL automated scanning on GitHub"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-23 Relative Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg",
"refsource": "MISC",
"url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"
},
{
"name": "https://github.com/kubernetes-client/java/issues/1491",
"refsource": "MISC",
"url": "https://github.com/kubernetes-client/java/issues/1491"
},
{
"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942@%3Ccommits.druid.apache.org%3E"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."
}
],
"source": {
"defect": [
"https://github.com/kubernetes-client/java/issues/1491"
],
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565",
"assignerShortName": "kubernetes",
"cveId": "CVE-2020-8570",
"datePublished": "2021-01-21T17:09:21.689Z",
"dateReserved": "2020-02-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:01:55.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}