CVE-2021-20218

CVSS v3.1 7.4 (High)

CVSS v2.0 5.8 (Medium)

EPSS 0.10 % (41^th)

Affected Products 9

Advisories 1

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client copy command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

Weaknesses

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE Status: PUBLISHED
CNA: Red Hat, Inc.
Published Date: 2021-03-16 21:15:10
(3 years ago)
Updated Date: 2021-03-25 18:43:53
(3 years ago)

Affected Products

Redhat

Configuration #1

	CPE23	From	Up To
Redhat Kubernetes-client from 4.2.0 version and prior 4.7.2 version	cpe:2.3:a:redhat:kubernetes-client	>= 4.2.0	< 4.7.2
Redhat Kubernetes-client from 4.8.0 version and prior 4.11.2 version	cpe:2.3:a:redhat:kubernetes-client	>= 4.8.0	< 4.11.2
Redhat Kubernetes-client from 4.12.0 version and prior 4.13.2 version	cpe:2.3:a:redhat:kubernetes-client	>= 4.12.0	< 4.13.2
Redhat Kubernetes-client from 5.0.0 version and prior 5.0.2 version	cpe:2.3:a:redhat:kubernetes-client	>= 5.0.0	< 5.0.2

Configuration #2

		CPE23	From	Up To
	Redhat A-mq Online	cpe:2.3:a:redhat:a-mq_online:-
	Redhat Build Of Quarkus	cpe:2.3:a:redhat:build_of_quarkus:-
	Redhat Codeready Studio 12.0	cpe:2.3:a:redhat:codeready_studio:12.0
	Redhat Descision Manager 7.0	cpe:2.3:a:redhat:descision_manager:7.0
	Redhat Integration Camel K	cpe:2.3:a:redhat:integration_camel_k:-
	Redhat Jboss Fuse 7.0.0	cpe:2.3:a:redhat:jboss_fuse:7.0.0
	Redhat Openshift Container Platform 3.11	cpe:2.3:a:redhat:openshift_container_platform:3.11
	Redhat Process Automation 7.0	cpe:2.3:a:redhat:process_automation:7.0