CVE-2021-20218 : A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. Th

A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability. This has been fixed in kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2

Published 2021-03-16 21:15:11

Updated 2021-03-25 18:43:54

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2021-20218

Redhat » Jboss Fuse » Version: 7.0.0
cpe:2.3:a:redhat:jboss_fuse:7.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
Redhat » Process Automation » Version: 7.0
cpe:2.3:a:redhat:process_automation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Kubernetes-client
Versions from including (>=) 4.8.0 and before (<) 4.11.2
cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*
Matching versions
Redhat » Kubernetes-client
Versions from including (>=) 4.2.0 and before (<) 4.7.2
cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*
Matching versions
Redhat » Kubernetes-client
Versions from including (>=) 5.0.0 and before (<) 5.0.2
cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*
Matching versions
Redhat » Kubernetes-client
Versions from including (>=) 4.12.0 and before (<) 4.13.2
cpe:2.3:a:redhat:kubernetes-client:*:*:*:*:*:*:*:*
Matching versions
Redhat » A-mq Online » Version: N/A
cpe:2.3:a:redhat:a-mq_online:-:*:*:*:*:*:*:*
Matching versions
Redhat » Build Of Quarkus » Version: N/A
cpe:2.3:a:redhat:build_of_quarkus:-:*:*:*:*:*:*:*
Matching versions
Redhat » Codeready Studio » Version: 12.0
cpe:2.3:a:redhat:codeready_studio:12.0:*:*:*:*:*:*:*
Matching versions
Redhat » Descision Manager » Version: 7.0
cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Integration Camel K » Version: N/A
cpe:2.3:a:redhat:integration_camel_k:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-20218

EPSS FAQ

0.59%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 67 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-20218

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:P	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
7.4	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H	2.2	5.2	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: High

CWE ids for CVE-2021-20218

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: secalert@redhat.com (Primary)

References for CVE-2021-20218

https://bugzilla.redhat.com/show_bug.cgi?id=1923405

1923405 – (CVE-2021-20218) CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
Issue Tracking;Vendor Advisory
https://github.com/fabric8io/kubernetes-client/issues/2715

Potential CVE? · Issue #2715 · fabric8io/kubernetes-client · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-20218

Products affected by CVE-2021-20218

Exploit prediction scoring system (EPSS) score for CVE-2021-20218

CVSS scores for CVE-2021-20218

CWE ids for CVE-2021-20218

References for CVE-2021-20218