CVE-2020-8570

CVE-2020-8570 is a critical-severity vulnerability in Kubernetes Java with a CVSS 3.x base score of 9.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-22.

Key facts

Description

Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.

Frequently asked questions

What is CVE-2020-8570?
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executing the client code.
How severe is CVE-2020-8570?
CVE-2020-8570 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability high.
Is CVE-2020-8570 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 4% (88th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2020-8570?
CVE-2020-8570 affects Kubernetes Java. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2020-8570?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2020-8570 published?
CVE-2020-8570 was published on 2021-01-21 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Kubernetes Java

All CVEs affecting Kubernetes Java →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →