Vulnerability CVE-2021-20218


Published: 2021-03-16

Description:
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

Type:

CWE-22

(Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.4/10
4.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
Partial
Affected software
Redhat -> Kubernetes-client 
Redhat -> A-mq online 
Redhat -> Build of quarkus 
Redhat -> Codeready studio 
Redhat -> Descision manager 
Redhat -> Integration camel k 
Redhat -> Jboss fuse 
Redhat -> Openshift container platform 
Redhat -> Process automation 

 References:
https://bugzilla.redhat.com/show_bug.cgi?id=1923405
https://github.com/fabric8io/kubernetes-client/issues/2715

Copyright 2021, cxsecurity.com

 

Back to Top