CVE-2021-4178

MEDIUM

Redhat Fabric8-kubernetes < 5.0.3 - Insecure Deserialization

Title source: rule
STIX 2.1

Description

A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.

Exploits (1)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/fabric8io__kubernetes-client_CVE-2021-4178_5-0-2

References (4)

Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=2034388
Vendor Advisory x_refsource_misc
https://access.redhat.com/security/cve/CVE-2021-4178
Third Party Advisory x_refsource_misc
https://github.com/advisories/GHSA-98g7-rxmf-rrxm
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/fabric8io/kubernetes-client/issues/3653

Scores

CVSS v3 6.7
EPSS 0.0010
EPSS Percentile 26.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (12)
io.fabric8/kubernetes-client 5.0.0-beta-1 - 5.0.3Maven
redhat/a-mq_streams 2.0.1
redhat/build_of_quarkus 2.2.5
redhat/descision_manager 7.0
redhat/fabric8-kubernetes 5.0.0 beta1
redhat/fabric8-kubernetes 5.8.0
redhat/fabric8-kubernetes 5.0.1 - 5.0.3
redhat/fuse 7.11
redhat/integration_camel_k
redhat/integration_camel_quarkus 2.2.1
... and 2 more
Published Aug 24, 2022
Tracked Since Feb 18, 2026