[Kubernetes Java Client] Kubernetes Java client impacted by CVE-2022-1471

2,666 views

Skip to first unread message

CJ Cullen

unread,

Jan 31, 2023, 2:43:06 PM1/31/23

to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Issue Details

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution due to CVE-2022-1471.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions

Kubernetes Java Client == v17.0.0
Kubernetes Java Client <= v16.0.2
Kubernetes Java Client <= v15.0.1

Fixed Versions

Kubernetes Java Client >= v17.0.1
Kubernetes Java Client >= v16.0.3
Kubernetes Java Client >= v15.0.2

Detection

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/2532

Acknowledgements

This vulnerability was reported by Jonathan Leitschuh, and fixed by Brendan Burns.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

Reply all

Reply to author

Forward

0 new messages