Hello Kubernetes Community,
A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.
This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.
Am I vulnerable?
If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.
Affected Versions- Kubernetes Java Client == v11.0.0
-
Kubernetes Java Client <= v10.0.1
-
Kubernetes Java Client <= v9.0.2
How do I mitigate this vulnerability?
Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.
Fixed Versions- Kubernetes Java Client >= v12.0.0
- Kubernetes Java Client >= v11.0.1
Detection
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698
Acknowledgements
This vulnerability was reported by Jordy Versmissen through our bug bounty.
Thank You,
Tim Allclair on behalf of the Kubernetes Product Security Committee