[Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing

643 views
Skip to first unread message

Tim Allclair

unread,
May 17, 2021, 12:39:45 PM5/17/21
to kubernetes-announce, Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions

  • Kubernetes Java Client == v11.0.0

  • Kubernetes Java Client <= v10.0.1

  • Kubernetes Java Client <= v9.0.2

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.

Fixed Versions

  • Kubernetes Java Client >= v12.0.0

  • Kubernetes Java Client >= v11.0.1

Detection

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698

Acknowledgements

This vulnerability was reported by Jordy Versmissen through our bug bounty.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee


Reply all
Reply to author
Forward
0 new messages