[Kubernetes Java Client] Kubernetes Java client impacted by CVE-2022-1471

Skip to first unread message

CJ Cullen

Jan 31, 2023, 2:43:06 PM1/31/23
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Issue Details

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution due to CVE-2022-1471.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions

  • Kubernetes Java Client == v17.0.0

  • Kubernetes Java Client <= v16.0.2

  • Kubernetes Java Client <= v15.0.1

Fixed Versions

  • Kubernetes Java Client >= v17.0.1

  • Kubernetes Java Client >= v16.0.3

  • Kubernetes Java Client >= v15.0.2


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/2532


This vulnerability was reported by Jonathan Leitschuh, and fixed by Brendan Burns.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

Reply all
Reply to author
0 new messages