CVE-2021-4178

MEDIUM

Redhat Fabric8-kubernetes < 5.0.3 - Insecure Deserialization

Title source: rule

Description

A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.

Exploits (1)

nomisec WRITEUP

by shoucheng3 · poc

https://github.com/shoucheng3/fabric8io__kubernetes-client_CVE-2021-4178_5-0-2

View Code ZIP pw:eip

References (4)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2021-4178

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2034388

[Third Party Advisory] https://github.com/advisories/GHSA-98g7-rxmf-rrxm

[Issue Tracking, Third Party Advisory] https://github.com/fabric8io/kubernetes-client/issues/3653

Scores

CVSS v3 6.7

EPSS 0.0010

EPSS Percentile 26.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (12)

redhat/fabric8-kubernetes < 5.0.3

redhat/fabric8-kubernetes

redhat/a-mq_streams

redhat/build_of_quarkus

redhat/descision_manager

redhat/fuse

redhat/integration_camel_k

redhat/integration_camel_quarkus

redhat/openshift_application_runtimes

redhat/process_automation

io.fabric8/kubernetes-client < 5.0.3Maven

Timeline

Published Aug 24, 2022

Tracked Since Feb 18, 2026