CVE-2017-1002102

Summary

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.

Affected Software

VendorProductVersion RangeStatus
KubernetesKubernetesv1.3.xaffected
KubernetesKubernetesv1.4.xaffected
KubernetesKubernetesv1.5.xaffected
KubernetesKubernetesv1.6.xaffected
KubernetesKubernetesunspecified < v1.7.14affected
KubernetesKubernetesunspecified < v1.8.9affected
KubernetesKubernetesunspecified < v1.9.4affected

Weaknesses

  • handled symbolic links insecurely

ADP Enrichment

CVE Program Container

Additional References

References