CVE-2021-4178

CWE-502 — Deserialization of Untrusted Data CWE-94 — Code Injection5 documents5 sources

Severity

6.7MEDIUM

EPSS

0.1%

top 73.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Fabric8-kubernetes Redhat A-mq Streams Redhat Build OF Quarkus +4 more

Timeline

PublishedAug 24

Description

A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages9 packages

▶Mavenio.fabric8:kubernetes-client5.0.0-beta-1 — 5.0.3+6

▶NVDredhat/fabric8-kubernetes5.0.1 — 5.0.3+7

▶CVEListV5kubernetes-clientAffects 5.x versions, Fixed in kubernetes-client v5.0.3 and above.

▶NVDredhat/fuse7.11

▶NVDredhat/a-mq_streams2.0.1

🔴Vulnerability Details

CVEList

CVE-2021-4178: A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5↗2022-08-24

▶

GHSA

fabric8 kubernetes-client vulnerable↗2022-07-15

▶

OSV

fabric8 kubernetes-client vulnerable↗2022-07-15

▶

📋Vendor Advisories

Red Hat

kubernetes-client: Insecure deserialization in unmarshalYaml method↗2022-01-05

▶