NVD Vulnerability Detail

CVE-2020-8570

Summary	Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
Publication Date	Jan. 22, 2021, 2:15 a.m.
Registration Date	Jan. 26, 2021, 10:40 a.m.
Last Update	Nov. 21, 2024, 2:39 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://github.com/kubernetes-client/java/issues/1491	Issue Tracking Patch Third Party Advisory
2	https://github.com/kubernetes-client/java/issues/1491	Issue Tracking Patch Third Party Advisory
3	https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg	Mailing List Third Party Advisory
4	https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg	Mailing List Third Party Advisory
5	https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E
6	https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E
7	https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E
8	https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E
9	https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E
10	https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E
11	https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E
12	https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-22	パス・トラバーサル	https://cwe.mitre.org/data/definitions/22.html

JVN Vulnerability Information

Kubernetes Java におけるパストラバーサルの脆弱性

Title	Kubernetes Java におけるパストラバーサルの脆弱性
Summary	Kubernetes Java には、パストラバーサルの脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 3, 2020, midnight
Registration Date	Oct. 11, 2021, 6:06 p.m.
Last Update	Oct. 11, 2021, 6:06 p.m.

Affected System

Kubernetes

Java

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-8570	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8570
GitHub
2	CVE-2020-8570: Path Traversal bug in the Java Kubernetes Client #1491	https://github.com/kubernetes-client/java/issues/1491
National Vulnerability Database (NVD)
3	CVE-2020-8570	https://nvd.nist.gov/vuln/detail/CVE-2020-8570

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-22	https://jvndb.jvn.jp/ja/cwe/CWE-22.html

ベンダー情報

No	Name	URL
Google Groups
1	Fwd: [Security Advisory] CVE-2020-8570: Path Traversal bug in the Java Kubernetes Client	https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg

Change Log

No	Changed Details	Date of change
1	[2021年10月11日] 掲載	Oct. 11, 2021, 6:06 p.m.