Improper Neutralization of Escape, Meta, or Control Sequences

CVE-2021-25743

Low

3/10

Summary

kubectl does not neutralize escape, meta or control sequences contained in the raw data it outputs to a terminal. This includes but is not limited to the unstructured string fields in objects such as Events. This issue affects versions prior to v1.26.0-alpha.3.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

References

Advisory
Issue
Pull request

Advisory Timeline

Published Jan 07, 2022

Improper Neutralization of Escape, Meta, or Control Sequences

CVE-2021-25743

Summary

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS