[Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing

tallclair · May 17, 2021, 4:39pm

Hello Kubernetes Community,

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

This vulnerability was reported by Jordy Versmissen through our bug bounty.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Topic		Replies	Views
[Kubernetes Java Client] Kubernetes Java client impacted by CVE-2022-1471 Announcements	0	913	January 31, 2023
[ANNOUNCE] CVE-2019-11253: denial of service vulnerability from malicious YAML or JSON payloads Announcements cve	0	3759	October 16, 2019
Fwd: [Security Advisory] CVE-2020-8570: Path Traversal bug in the Java Kubernetes Client Announcements	0	1423	January 12, 2021
[Security Advisory] CVE-2019-11254: denial of service vulnerability from malicious YAML payloads Announcements	2	1605	May 9, 2022
Kubernetes Security Announcement - v1.10.11, v1.11.5, v1.12.3 released to address CVE-2018-1002105 Announcements security	1	6425	December 3, 2018