[Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing

Hello Kubernetes Community,

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions- Kubernetes Java Client == v11.0.0

  • Kubernetes Java Client <= v10.0.1

  • Kubernetes Java Client <= v9.0.2

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.

Fixed Versions- Kubernetes Java Client >= v12.0.0

  • Kubernetes Java Client >= v11.0.1

Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698

Acknowledgements

This vulnerability was reported by Jordy Versmissen through our bug bounty.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

1 Like