[Kubernetes Java Client] Kubernetes Java client impacted by CVE-2022-1471

CJ_Cullen · January 31, 2023, 7:42pm

Issue Details

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution due to CVE-2022-1471.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions- Kubernetes Java Client == v17.0.0

Kubernetes Java Client <= v16.0.2
Kubernetes Java Client <= v15.0.1

Fixed Versions- Kubernetes Java Client >= v17.0.1

Kubernetes Java Client >= v16.0.3
Kubernetes Java Client >= v15.0.2

Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/2532

Acknowledgements

This vulnerability was reported by Jonathan Leitschuh, and fixed by Brendan Burns.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

Topic		Replies	Views
[Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing Announcements	0	2055	May 17, 2021
[ANNOUNCE] CVE-2019-11253: denial of service vulnerability from malicious YAML or JSON payloads Announcements cve	0	3872	October 16, 2019
Fwd: [Security Advisory] CVE-2020-8570: Path Traversal bug in the Java Kubernetes Client Announcements	0	1543	January 12, 2021
[Security Advisory] CVE-2019-11254: denial of service vulnerability from malicious YAML payloads Announcements	2	1721	May 9, 2022
Kubernetes Security Announcement - v1.10.11, v1.11.5, v1.12.3 released to address CVE-2018-1002105 Announcements security	1	6539	December 3, 2018