CVE-2021-25738

MEDIUM

kubernetes/java < 9.0.2 and io.kubernetes/client-java < 11.0.1 - Remote Code Execution via YAML Deserialization

Title source: llm
STIX 2.1

Description

Loading specially-crafted yaml with the Kubernetes Java Client library can lead to code execution.

References (3)

Core 3
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://groups.google.com/g/kubernetes-security-announce/c/K_pOK2WbAJk
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/kubernetes-client/java/issues/1698
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/08/23/2

Scores

CVSS v3 6.7
EPSS 0.0046
EPSS Percentile 36.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20 CWE-502
Status published
Products (2)
io.kubernetes/client-java 0 - 11.0.1Maven
kubernetes/java < 9.0.2
Published Oct 11, 2021
Tracked Since Feb 18, 2026