[Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing

Skip to first unread message

Tim Allclair

May 17, 2021, 12:39:45 PM5/17/21
to kubernetes-announce, Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions

  • Kubernetes Java Client == v11.0.0

  • Kubernetes Java Client <= v10.0.1

  • Kubernetes Java Client <= v9.0.2

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.

Fixed Versions

  • Kubernetes Java Client >= v12.0.0

  • Kubernetes Java Client >= v11.0.1


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698


This vulnerability was reported by Jordy Versmissen through our bug bounty.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Reply all
Reply to author
0 new messages