CVE-2018-1002100
4.2
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
Summary
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Kubernetes | Kubernetes | v1.5.x | affected |
| Kubernetes | Kubernetes | v1.6.x | affected |
| Kubernetes | Kubernetes | v1.7.x | affected |
| Kubernetes | Kubernetes | v1.8.x | affected |
| Kubernetes | Kubernetes | unspecified < v1.9.6 | affected |
Weaknesses
- directory traversal vulnerability
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/kubernetes/kubernetes/issues/61297
- https://hansmi.ch/articles/2018-04-openshift-s2i-security
- https://bugzilla.redhat.com/show_bug.cgi?id=1564305
References
- https://github.com/kubernetes/kubernetes/issues/61297
- https://hansmi.ch/articles/2018-04-openshift-s2i-security
- https://bugzilla.redhat.com/show_bug.cgi?id=1564305
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.