CVE-2021-20218

moderate-risk

Published 2021-03-16

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

Do I need to act?

0.59% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.4/10 High

NETWORK / HIGH complexity

Affected Products (9)

Kubernetes-Client

A-Mq Online

Build Of Quarkus

Codeready Studio

Descision Manager

Integration Camel K

Jboss Fuse

Openshift Container Platform

Process Automation

Affected Vendors

Redhat

References (4)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1923405

Patch https://github.com/fabric8io/kubernetes-client/issues/2715

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1923405

Patch https://github.com/fabric8io/kubernetes-client/issues/2715

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 2/34 · Minimal

Exposure 15/34 · Moderate