CVE-2021-20218

Опубликовано: 16 мар. 2021

Источник: nvd

CVSS3: 7.4

CVSS2: 5.8

EPSS Низкий

Описание

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client copy command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

Ссылки

https://bugzilla.redhat.com/show_bug.cgi?id=1923405
Issue Tracking
Vendor Advisory
https://github.com/fabric8io/kubernetes-client/issues/2715
Patch
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1923405
Issue Tracking
Vendor Advisory
https://github.com/fabric8io/kubernetes-client/issues/2715
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*

Версия от 4.2.0 (включая) до 4.7.2 (исключая)

cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*

Версия от 4.8.0 (включая) до 4.11.2 (исключая)

cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*

Версия от 4.12.0 (включая) до 4.13.2 (исключая)

cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*

Версия от 5.0.0 (включая) до 5.0.2 (исключая)

Конфигурация 2

Одно из

cpe:2.3:a:redhat:a-mq_online:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*

cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 69%

0.00594

Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

CVE-2021-20218

CVSS3: 7.4

redhat

около 5 лет назад

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

GHSA-jwh2-ffg4-48xc

CVSS3: 7.4

github

больше 3 лет назад

Improper Limitation of a Pathname to a Restricted Directory in Fabric8 Kubernetes Client

EPSS

Процентиль: 69%

0.00594

Низкий

7.4 High

CVSS3

5.8 Medium

CVSS2

Дефекты

CWE-22