{"containers": {"cna": {"affected": [{"product": "Kubernetes Java Client", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "all versions prior to 9.0"}, {"lessThan": "9.0.2", "status": "affected", "version": "9.0", "versionType": "custom"}, {"lessThan": "10.0.1", "status": "affected", "version": "10.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Discovered via CodeQL automated scanning on GitHub"}], "datePublic": "2021-01-11T00:00:00", "descriptions": [{"lang": "en", "value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-04T00:06:10", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/kubernetes-client/java/issues/1491"}, {"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"}], "solutions": [{"lang": "en", "value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."}], "source": {"defect": ["https://github.com/kubernetes-client/java/issues/1491"], "discovery": "UNKNOWN"}, "title": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2021-01-11T23:15:00.000Z", "ID": "CVE-2020-8570", "STATE": "PUBLIC", "TITLE": "Kubernetes Java client libraries unvalidated path traversal in Copy implementation"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes Java Client", "version": {"version_data": [{"version_affected": "<", "version_name": "9.0", "version_value": "9.0.2"}, {"version_affected": "<", "version_name": "10.0", "version_value": "10.0.1"}, {"version_value": "all versions prior to 9.0"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Discovered via CodeQL automated scanning on GitHub"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-23 Relative Path Traversal"}]}]}, "references": {"reference_data": [{"name": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg", "refsource": "MISC", "url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"}, {"name": "https://github.com/kubernetes-client/java/issues/1491", "refsource": "MISC", "url": "https://github.com/kubernetes-client/java/issues/1491"}, {"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6@%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942@%3Ccommits.druid.apache.org%3E"}]}, "solution": [{"lang": "en", "value": "Upgrade to 9.0.2, 10.0.1 or 11.0.0 versions of the library."}], "source": {"defect": ["https://github.com/kubernetes-client/java/issues/1491"], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.133Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/kubernetes-client/java/issues/1491"}, {"name": "[druid-commits] 20210201 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210202 [GitHub] [druid] jon-wei opened a new pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson commented on pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"}, {"name": "[druid-commits] 20210203 [GitHub] [druid] jihoonson merged pull request #10826: Address CVE-2020-8570, suppress CVE-2020-8554", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8570", "datePublished": "2021-01-21T17:09:21.689060Z", "dateReserved": "2020-02-03T00:00:00", "dateUpdated": "2024-09-16T22:01:55.884Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:java:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDE8B8B0-BFEA-4097-B229-633ED83338B4", "versionEndExcluding": "9.0.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:java:*:*:*:*:*:*:*:*", "matchCriteriaId": "B367DA81-ECE3-40F2-B5D3-D9F95E5D7E14", "versionEndExcluding": "10.0.1", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."}, {"lang": "es", "value": "Las bibliotecas del cliente de Kubernetes Java en la versi\u00f3n 10.0.0 y las versiones anteriores a 9.0.1, permiten la escritura en rutas fuera del directorio actual cuando copia varios archivos desde un pod remoto que env\u00eda un archivo dise\u00f1ado maliciosamente. Esto potencialmente puede sobrescribir cualquier archivo en el sistema del proceso que ejecuta el c\u00f3digo del cliente"}], "id": "CVE-2020-8570", "lastModified": "2023-11-07T03:26:37.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-21T17:15:14.327", "references": [{"source": "jordan@liggitt.net", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes-client/java/issues/1491"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg"}, {"source": "jordan@liggitt.net", "url": "https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E"}, {"source": "jordan@liggitt.net", "url": "https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E"}, {"source": "jordan@liggitt.net", "url": "https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E"}, {"source": "jordan@liggitt.net", "url": "https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-23"}], "source": "jordan@liggitt.net", "type": "Secondary"}]}

{"bugzilla": {"description": "kubernetes-client: Path Traversal bug in the Java kubernetes client", "id": "1915464", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1915464"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-22", "details": ["Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code."], "name": "CVE-2020-8570", "package_state": [{"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Not affected", "package_name": "kubernetes-client", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "kubernetes-client", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "kubernetes-client", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "kubernetes-client", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Not affected", "package_name": "kubernetes-client", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "kubernetes-client", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-01-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8570\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8570"], "threat_severity": "Moderate", "upstream_fix": "kubernetes-client 10.0.1, kubernetes-client 9.0.2, kubernetes-client 11.0.0"}