Hello Kubernetes Community,
A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.
This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.
If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.
Kubernetes Java Client == v11.0.0
Kubernetes Java Client <= v10.0.1
Kubernetes Java Client <= v9.0.2
Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.
Kubernetes Java Client >= v12.0.0
Kubernetes Java Client >= v11.0.1
If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io
See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698
This vulnerability was reported by Jordy Versmissen through our bug bounty.
Tim Allclair on behalf of the Kubernetes Product Security Committee