CVE-2021-25738Improper Input Validation in Kubernetes Java

CWE-20Improper Input ValidationCWE-502Deserialization of Untrusted Data6 documents6 sources
Severity
6.7MEDIUMNVD
EPSS
0.1%
top 69.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Kubernetes JavaKubernetes Java ClientJenkins Collabnet Plugins Plugin+4 more
Timeline
PublishedOct 11
Latest updateAug 23

Description

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages7 packages

CVEListV5kubernetes/kubernetes_java_clientunspecifiedv11.0.1+1
NVDkubernetes/java11.0.011.0.1+2

🔴Vulnerability Details

2
OSV
Code injection in Kubernetes Java Client2021-10-12
GHSA
Code injection in Kubernetes Java Client2021-10-12

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2022-08-232022-08-23
Red Hat
kubernetes-client: Loading specially-crafted yaml can lead to code execution2021-05-17

💬Community

1
HackerOne
Loading YAML in Java client can lead to command execution2021-08-07