CVE-2020-8570: Kubernetes Java client libraries unvalidated path traversal in Copy implementation
First published: Thu Jan 21 2021(Updated: )
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Kubernetes Java | <9.0.2 | |
| Kubernetes Java | >=10.0.0<10.0.1 |
Remedy
Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/kubernetes-client/java/issues/1491
- https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg
- https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-8570.
What is the severity rating of CVE-2020-8570?
CVE-2020-8570 has a severity rating of 9.1 (Critical).
What is the affected software?
The affected software is Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.2.
What is the impact of this vulnerability?
This vulnerability allows writes to paths outside of the current directory and can potentially overwrite any files on the system.
Are there any references for further information?
Yes, you can find more information about CVE-2020-8570 at the following references: [link1](https://github.com/kubernetes-client/java/issues/1491), [link2](https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg), [link3](https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E)
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/weakness
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/title
- agent/author
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/kubernetes
- canonical/kubernetes java
- version/kubernetes java/10.0.0