CVE-2020-8570 — Relative Path Traversal in Kubernetes Java Client

CWE-23 — Relative Path Traversal CWE-22 — Path Traversal4 documents4 sources

Severity

9.1CRITICALNVD

EPSS

1.1%

top 22.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Kubernetes Java Client Kubernetes Java

Timeline

PublishedJan 21

Latest updateJan 29

Description

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5kubernetes/kubernetes_java_client9.0 — 9.0.2+2

▶NVDkubernetes/java10.0.0 — 10.0.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Path Traversal in the Java Kubernetes Client↗2021-01-29

▶

GHSA

Path Traversal in the Java Kubernetes Client↗2021-01-29

▶

📋Vendor Advisories

Red Hat

kubernetes-client: Path Traversal bug in the Java kubernetes client↗2021-01-12

▶