A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution due to CVE-2022-1471.
This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Am I vulnerable?
If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.
Affected Versions- Kubernetes Java Client == v17.0.0
Kubernetes Java Client <= v16.0.2
Kubernetes Java Client <= v15.0.1
Fixed Versions- Kubernetes Java Client >= v17.0.1
Kubernetes Java Client >= v16.0.3
Kubernetes Java Client >= v15.0.2
If you find evidence that this vulnerability has been exploited, please contact email@example.com
See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/2532
This vulnerability was reported by Jonathan Leitschuh, and fixed by Brendan Burns.
CJ Cullen on behalf of the Kubernetes Security Response Committee