2042418 – (CVE-2021-25743) CVE-2021-25743 kubernetes: kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal

Bug 2042418 (CVE-2021-25743) - CVE-2021-25743 kubernetes: kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal

Summary: CVE-2021-25743 kubernetes: kubectl does not neutralize escape, meta or contro...

Keywords:
Status:	NEW
Alias:	CVE-2021-25743
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2042419 2043563 2043564 2043565 2043570 2044401 2056821 2056822 2043569 2043571 2044402 2047712
Blocks:	2042420
TreeView+	depends on / blocked

Reported:	2022-01-19 13:49 UTC by Guilherme de Almeida Suckevicz
Modified:	2022-05-03 00:25 UTC (History)
CC List:	62 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An improper input validation vulnerability was discovered in Kubernetes. In Kubernetes and the OpenShift Container Platform, terminal escape sequence characters are not sanitized in various object-free text fields. This flaw allows an authenticated user to include escape sequence characters in free text fields that are later displayed by the `kubectl` or `oc` binaries. This issue allows spoofing and obscuring `kubectl` output.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Guilherme de Almeida Suckevicz 2022-01-19 13:49:27 UTC

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events.

Reference:
https://github.com/kubernetes/kubernetes/issues/101695

Comment 1 Guilherme de Almeida Suckevicz 2022-01-19 13:49:50 UTC

Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 2042419]

Comment 2 Przemyslaw Roguski 2022-01-21 14:17:20 UTC

Created golang-k8s-kubectl tracking bugs for this issue:

Affects: fedora-all [bug 2043563]


Created golang-k8s-kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 2043564]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2043565]

Note You need to log in before you can comment on or make changes to this bug.

abenaiss
admiller
aos-bugs
bcoca
bdettelb
bmontgom
bradley.g.smith
caswilli
cmeyers
crarobin
davidn
dhalasz
eparis
fjansen
gblomqui
go-sig
gparvin
hello
jbrooks
jburrell
jcajka
jcammara
jchaloup
jhardy
jmadigan
jobarker
joelsmith
jokerman
jramanat
jwong
kaycoth
lhinds
mabashia
maszulik
mfojtik
ngough
njean
notting
nstielau
osapryki
pahickey
pamccart
pbhattac
relrod
rfreiman
rpetrell
sdoran
smcdonal
spandura
sponnaga
stcannon
stclairt
sthirugn
strigazi
sttts
tkuratom
vbatts
vkrizan
vkumar
vmugicag
xxia
zebob.m