CVE-2021-4178

A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.

Published: Aug 24, 2022
Updated: May 9, 2024
CVE: CVE-2021-4178
GHSA: GHSA-98g7-rxmf-rrxm
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.7
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWEs:

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
redhat / fabric8-kubernetes	5.1.0	5.1.2
redhat / fabric8-kubernetes	5.2.0	5.3.2
redhat / fabric8-kubernetes	5.8.0	5.8.0.x
redhat / fabric8-kubernetes	5.5.0	5.7.4
redhat / fabric8-kubernetes	5.0.0-beta1	5.0.0-beta1.x
redhat / fabric8-kubernetes	5.0.1	5.0.3
redhat / fabric8-kubernetes	5.11.0	5.11.2
redhat / fabric8-kubernetes	5.9.0	5.10.2
redhat / process_automation	7.0	7.0.x
redhat / descision_manager	7.0	7.0.x
redhat / a-mq_streams	2.0.1	2.0.1.x
redhat / fuse	7.11	7.11.x
redhat / integration_camel_quarkus	2.2.1	2.2.1.x
redhat / build_of_quarkus	2.2.5	2.2.5.x
io.fabric8 / kubernetes-client	5.0.0-beta-1	5.0.3
io.fabric8 / kubernetes-client	5.1.0	5.1.2
io.fabric8 / kubernetes-client	5.2.0	5.3.2
io.fabric8 / kubernetes-client	5.5.0	5.7.4
io.fabric8 / kubernetes-client	5.8.0	5.8.1
io.fabric8 / kubernetes-client	5.9.0	5.10.2
io.fabric8 / kubernetes-client	5.11.0	5.11.2

Vulnerability Database

289,598

CVE-2021-4178