CVE-2021-4178

Description

A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.7CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 0.24%• Percentile: 48%

Techniques & Countermeasures

• CWE-502•Deserialization of Untrusted Data

  The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

• io.fabric8•kubernetes-client

  ≥ 5.0.0-beta-1, < 5.0.3 | ≥ 5.1.0, < 5.1.2 | ≥ 5.2.0, < 5.3.2 | ≥ 5.5.0, < 5.7.4 | ≥ 5.8.0, < 5.8.1 | ≥ 5.9.0, < 5.10.2 | ≥ 5.11.0, < 5.11.2

• redhat•a-mq_streams

  2.0.1

• redhat•build_of_quarkus

  2.2.5

• redhat•descision_manager

  7.0

• redhat•fabric8-kubernetes

  ≥ 5.0.1, < 5.0.3 | ≥ 5.1.0, < 5.1.2 | ≥ 5.2.0, < 5.3.2 | ≥ 5.5.0, < 5.7.4 | ≥ 5.9.0, < 5.10.2 | ≥ 5.11.0, < 5.11.2 | 5.0.0:beta1 | 5.8.0

• redhat•fuse

  7.11

• redhat•integration_camel_k

  na

• redhat•integration_camel_quarkus

  2.2.1

• redhat•openshift_application_runtimes

  na

• redhat•process_automation

  7.0

References (9)

• https://bugzilla.redhat.com/show_bug.cgi?id=2034388
• https://access.redhat.com/security/cve/CVE-2021-4178
• https://github.com/advisories/GHSA-98g7-rxmf-rrxm
• https://github.com/fabric8io/kubernetes-client/issues/3653
• https://nvd.nist.gov/vuln/detail/CVE-2021-4178
• https://github.com/fabric8io/kubernetes-client/commit/445103004d1ed3153d5abb272473451d05891e39
• https://access.redhat.com/security/cve/cve-2021-4178
• https://github.com/fabric8io/kubernetes-client
• https://www.mend.io/vulnerability-database/CVE-2021-4178