CVE-2020-8570

CRITICAL

Kubernetes Java Client <10.0.0 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-8570. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains the Kubernetes Java Client source code, including documentation and examples. It appears to be a legitimate technical resource with detailed changelogs, contributing guidelines, and example code for interacting with Kubernetes clusters.

Description

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

Exploits (1)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/kubernetes-client__java_CVE-2020-8570_client-java-parent-9_0_2_fixed

This repository contains the Kubernetes Java Client source code, including documentation and examples. It appears to be a legitimate technical resource with detailed changelogs, contributing guidelines, and example code for interacting with Kubernetes clusters.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Kubernetes Java Client
No auth needed
Prerequisites: Access to a Kubernetes cluster
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes-client/java/issues/1491

Scores

CVSS v3 9.1
EPSS 0.0355
EPSS Percentile 87.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Details

CWE
CWE-22 CWE-23
Status published
Products (2)
io.kubernetes/client-java 0 - 9.0.2Maven
kubernetes/java < 9.0.2
Published Jan 21, 2021
Tracked Since Feb 18, 2026