CVE-2020-8570

CRITICAL

Kubernetes Java Client <10.0.0 - Path Traversal

Title source: llm

Description

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

Exploits (2)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/kubernetes-client__java_CVE-2020-8570_client-java-parent-9_0_2_fixed

View Code ZIP pw:eip

nomisec

by shoucheng3 · poc

https://github.com/shoucheng3/kubernetes-client__java_CVE-2020-8570_client-java-parent-9-0-1

View on nomisec

References (6)

[Issue Tracking, Patch, Third Party Advisory] https://github.com/kubernetes-client/java/issues/1491

[Mailing List, Third Party Advisory] https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg

[Mailing List] https://lists.apache.org/thread.html/r0c76b3d0be348f788cd947054141de0229af00c540564711e828fd40%40%3Ccommits.druid.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/r1975078e44d96f2a199aa90aa874b57a202eaf7f25f2fde6d1c44942%40%3Ccommits.druid.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rcafa485d63550657f068775801aeb706b7a07140a8ebbdef822b3bb3%40%3Ccommits.druid.apache.org%3E

[Mailing List] https://lists.apache.org/thread.html/rdb223e1b82e3d7d8e4eaddce8dd1ab87252e3935cc41c859f49767b6%40%3Ccommits.druid.apache.org%3E

Scores

CVSS v3 9.1

EPSS 0.0109

EPSS Percentile 78.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-22 CWE-23

Status published

Products (2)

io.kubernetes/client-java 0 - 9.0.2Maven

kubernetes/java < 9.0.2

Published Jan 21, 2021

Tracked Since Feb 18, 2026