CVE-2021-20218

CWE-22 — Path Traversal5 documents5 sources

Severity

7.4HIGH

EPSS

0.6%

top 30.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Kubernetes-client Redhat Codeready Studio Redhat Descision Manager +3 more

Timeline

PublishedMar 16

Latest updateMay 24

Description

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 2.2 | Impact: 5.2

Affected Packages7 packages

▶Mavenio.fabric8:kubernetes-client4.2.0 — 4.7.2+3

▶CVEListV5fabric8-kubernetes-clientkubernetes-client-4.2.0 and after

▶NVDredhat/kubernetes-client4.2.0 — 4.7.2+3

▶NVDredhat/jboss_fuse7.0.0

▶NVDredhat/codeready_studio12.0

Also affects: Openshift Container Platform 3.11

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Improper Limitation of a Pathname to a Restricted Directory in Fabric8 Kubernetes Client↗2022-05-24

▶

OSV

Improper Limitation of a Pathname to a Restricted Directory in Fabric8 Kubernetes Client↗2022-05-24

▶

CVEList

CVE-2021-20218: A flaw was found in the fabric8 kubernetes-client in version 4↗2021-03-16

▶

📋Vendor Advisories

Red Hat

fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise↗2021-01-12

▶