Описание
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client copy command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client copy command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability.
Отчет
In OpenShift Container Platform 4 (OCP) there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and maybe fixed in a future update. Red Hat CodeReady WorkSpaces 2.7.0 does not ship fabric8-kubernetes-client and is therefore not affected by this flaw.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CodeReady Studio 12 | kubernetes-client | Affected | ||
| Red Hat JBoss Fuse 6 | kubernetes-client | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-logging-elasticsearch5 | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-logging-elasticsearch5 | Will not fix | ||
| Red Hat AMQ Online 1.7.0 GA | kubernetes-client | Fixed | RHSA-2021:0986 | 25.03.2021 |
| Red Hat Fuse 7.10 | kubernetes-client | Fixed | RHSA-2021:5134 | 14.12.2021 |
| Red Hat Integration | kubernetes-client | Fixed | RHSA-2021:3205 | 18.08.2021 |
| Red Hat Integration Camel Quarkus 2 | kubernetes-client | Fixed | RHSA-2021:3207 | 18.08.2021 |
| Red Hat OpenShift Container Platform 4.7 | jenkins-2-plugins | Fixed | RHSA-2021:1006 | 05.04.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.4 High
CVSS3
Связанные уязвимости
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2
Improper Limitation of a Pathname to a Restricted Directory in Fabric8 Kubernetes Client
EPSS
7.4 High
CVSS3