[Kubernetes Java Client] Kubernetes Java client impacted by CVE-2022-1471

3,030 views
Skip to first unread message

CJ Cullen

unread,
Jan 31, 2023, 2:43:06 PM1/31/23
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Issue Details

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution due to CVE-2022-1471.


This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions

  • Kubernetes Java Client == v17.0.0

  • Kubernetes Java Client <= v16.0.2

  • Kubernetes Java Client <= v15.0.1

Fixed Versions

  • Kubernetes Java Client >= v17.0.1

  • Kubernetes Java Client >= v16.0.3

  • Kubernetes Java Client >= v15.0.2

Detection

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/2532

Acknowledgements

This vulnerability was reported by Jonathan Leitschuh, and fixed by Brendan Burns.


Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee


Reply all
Reply to author
Forward
0 new messages