Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

Affected Packages

Maven io.kubernetes:client-java

Affected versions: 0 (fixed in 9.0.2)

Maven io.kubernetes:client-java

Affected versions: 10.0.0 (fixed in 10.0.1)

Related CVEs

CVE-2020-8570

Key Information

GHSA ID

GHSA-cghx-9gcr-r42x

Published

January 29, 2021 6:12 PM

Last Modified

October 7, 2022 8:36 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

io.kubernetes:client-java

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.