CVE-2021-25743Improper Neutralization of Escape, Meta, or Control Sequences in Kubernetes

CWE-150Improper Neutralization of Escape, Meta, or Control SequencesCWE-838Inappropriate Encoding for Output Context8 documents6 sources
Severity
3.0LOWNVD
EPSS
0.3%
top 48.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
KubernetesK8s.io Kubernetes
Timeline
PublishedJan 7
Latest updateAug 21

Description

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:NExploitability: 1.3 | Impact: 1.4

Affected Packages4 packages

Gok8s.io/kubernetes< 1.26.0-alpha.3
Debiankubernetes/kubernetes< 1.20.5+really1.20.2-1.1+2
CVEListV5kubernetes/kubernetesunspecified1.23.1+3
NVDkubernetes/kubernetes1.25.0+1

🔴Vulnerability Details

5
OSV
ANSI escape characters not filtered in kubectl in k8s.io/kubernetes2024-08-21
OSV
kubectl ANSI escape characters not filtered2022-01-08
GHSA
kubectl ANSI escape characters not filtered2022-01-08
OSV
CVE-2021-25743: kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal2022-01-07
CVEList
ANSI escape characters in kubectl output are not being filtered2022-01-07

📋Vendor Advisories

2
Red Hat
kubernetes: kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal2022-01-06
Debian
CVE-2021-25743: kubernetes - kubectl does not neutralize escape, meta or control sequences contained in the r...2021
CVE-2021-25743 — K8s.io Kubernetes vulnerability | cvebase