-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from insecure YAML deserialization using SnakeYAML's default constructor. The patch explicitly adds SafeConstructor to restrict deserialization to standard Java types. The unmarshalYaml function directly handles YAML input parsing and was the locus of the unsafe deserialization. The CWEs (94/502) and commit diff both confirm this was the attack vector.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.fabric8:kubernetes-client | maven | >= 5.0.0-beta-1, < 5.0.3 | 5.0.3 |
| io.fabric8:kubernetes-client | maven | >= 5.1.0, < 5.1.2 | 5.1.2 |
| io.fabric8:kubernetes-client | maven | >= 5.2.0, < 5.3.2 | 5.3.2 |
| io.fabric8:kubernetes-client | maven | >= 5.5.0, < 5.7.4 | 5.7.4 |
| io.fabric8:kubernetes-client | maven | >= 5.8.0, < 5.8.1 | 5.8.1 |
| io.fabric8:kubernetes-client | maven | >= 5.9.0, < 5.10.2 | 5.10.2 |
| io.fabric8:kubernetes-client | maven | >= 5.11.0, < 5.11.2 | 5.11.2 |
Ongoing coverage of React2Shell