Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| io.kubernetes:client-java(Maven) | 0 | 9.0.2 | N/A |
| io.kubernetes:client-java(Maven) | 10.0.0 | 10.0.1 | N/A |
CVSS Metrics
