Fwd: [Security Advisory] CVE-2020-8570: Path Traversal bug in the Java Kubernetes Client

tallclair · January 12, 2021, 1:13am

Hello Kubernetes Community,

A security issue was discovered in Kubernetes Java Client that could overwrite files outside of the current directory when copying files from a Pod.

This issue has assigned CVE-2020-8570.

If you are not using the Java client for Kubernetes, you are not impacted.

If you are not using Copy in the Java client for Kubernetes, you are not impacted.

If you are using Copy and you have upgraded to 9.0.2, 10.0.1 or 11.0.0 you are not impacted.

Otherwise, if you are using Copy with an older version of the Java client and you are copying from untrusted Pods you may be impacted.

ACTION REQUIRED: Upgrade to 9.0.2, 10.0.1 or 11.0.0

Prior to upgrading, this vulnerability can be mitigated by not Copying files from untrusted Pods

Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

This vulnerability was reported by CodeQL Automated scanning by GitHub

Thank You,

Brendan Burns

Topic		Replies	Views
[ANNOUNCE] Security release of Kubernetes kubectl - potential directory traversal - Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 - CVE-2019-1002101 Announcements	0	11768	March 28, 2019
[Kubernetes Java Client] Kubernetes Java client impacted by CVE-2022-1471 Announcements	0	1132	January 31, 2023
[Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing Announcements	0	2055	May 17, 2021
[ANNOUNCE] Security release of kubectl versions v1.16.0 / 1.15.4 / 1.14.7 and 1.13.11 - CVE-2019-11251 Announcements security , cve	1	1902	September 18, 2019
Kubernetes-Java API : Has anyone had success with Copy.copyFileToPod()? General Discussions	0	704	September 2, 2021