CVE-2021-25738: Code exec via yaml parsing #1698
Description
A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.
This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.
Am I vulnerable?
If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.
Affected Versions
- Kubernetes Java Client == v12.0.0
- Kubernetes Java Client <= v11.0.1
- Kubernetes Java Client <= v10.0.1
- Kubernetes Java Client <= v9.0.2
How do I mitigate this vulnerability?
Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.
Fixed Versions
- Kubernetes Java Client master - Patched by Update the CustomConstructor class for SnakeYAML. #1676
- Kubernetes Java Client >= v12.0.1 - Patched by Cherry-pick 12: Update the CustomConstructor class for SnakeYAML #1691
- Kubernetes Java Client >= v11.0.2 - Patched by Cherry-pick 11: Update the CustomConstructor class for SnakeYAML #1692
Detection
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Acknowledgements
This vulnerability was reported by Jordy Versmissen through our bug bounty.