CVE-2020-8570 – CVE-2020-8570 is a path traversal vulnerability... (How to Fix)

Q: What is the severity of CVE-2020-8570?

CVE-2020-8570 has a CVSS score of 9.1 (CRITICAL). CVE-2020-8570 is a path traversal vulnerability in Kubernetes Java client libraries that allows attackers to write files outside the intended directory when copying files from a remote pod. This can lead to arbitrary file overwrites on the system running the vulnerable client code. Affected users include anyone using Kubernetes Java client libraries for file operations from remote pods.

📋 TL;DR

CVE-2020-8570 is a path traversal vulnerability in Kubernetes Java client libraries that allows attackers to write files outside the intended directory when copying files from a remote pod. This can lead to arbitrary file overwrites on the system running the vulnerable client code. Affected users include anyone using Kubernetes Java client libraries for file operations from remote pods.

💻 Affected Systems

Products:

Kubernetes Java Client Libraries

Versions: Version 10.0.0 and all versions prior to 9.0.1

Operating Systems: All operating systems running Java applications using these libraries

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the copy functionality from remote pods. Applications not performing file copy operations from pods are not vulnerable.

📦 What is this software?

Java by Kubernetes

View all CVEs affecting Java →

Java by Kubernetes

View all CVEs affecting Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file overwrites, potentially leading to remote code execution, data destruction, or privilege escalation.

🟠

Likely Case

Unauthorized file modifications, configuration tampering, or denial of service through critical file corruption.

🟢

If Mitigated

Limited impact if proper file permissions and container isolation prevent writes to sensitive locations.

🌐 Internet-Facing: MEDIUM - Exploitation requires access to Kubernetes API and ability to create malicious pods, but internet-facing clusters could be targeted.

🏢 Internal Only: HIGH - Internal attackers with pod creation privileges can exploit this to compromise client systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or control a pod that can send malicious archives. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 9.0.1 and later, or version 10.0.1 and later

Vendor Advisory: https://groups.google.com/g/kubernetes-security-announce/c/sd5h73sFPrg

Restart Required: Yes

Instructions:

1. Update Kubernetes Java client library to version 9.0.1 or later (for 9.x branch) or 10.0.1 or later (for 10.x branch). 2. Update pom.xml or build.gradle dependencies. 3. Rebuild and redeploy affected applications. 4. Restart any running services using the updated libraries.

🔧 Temporary Workarounds

Disable file copy from untrusted pods

all

Avoid using copy functionality from remote pods that you don't fully trust.

# Review application code and remove or restrict copy operations from pods
# Implement pod validation before allowing copy operations

Implement file path validation

all

Add custom validation to ensure copied files stay within safe directories.

# Implement path canonicalization and validation in copy operations
# Use java.nio.file.Path methods to validate paths before writing

🧯 If You Can't Patch

Implement strict pod admission controls to prevent untrusted pods from being created
Run client applications with minimal file system permissions and in isolated containers

🔍 How to Verify

Check if Vulnerable:

Check your project's dependency management file (pom.xml or build.gradle) for kubernetes-client version. If version is 10.0.0 or any version below 9.0.1, you are vulnerable.

Check Version:

mvn dependency:tree | grep kubernetes-client OR gradle dependencies | grep kubernetes-client

Verify Fix Applied:

After updating, verify the kubernetes-client version is 9.0.1+ or 10.0.1+ in your dependency management file and rebuilt application.

📡 Detection & Monitoring

Log Indicators:

Unexpected file write operations outside expected directories
Errors from file copy operations with path traversal patterns
Multiple failed file write attempts to system directories

Network Indicators:

Unusual pod creation followed by file copy operations
Large archive transfers from pods to client applications

SIEM Query:

source="kubernetes" AND (operation="copy" OR operation="exec") AND (path="../" OR path="..\\" OR path contains "../")

📊 Metadata

CVE ID: CVE-2020-8570

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-23

Published: January 21, 2021

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8570, you might also want to check these: