Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-11249: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal #80984

Closed
joelsmith opened this issue Aug 5, 2019 · 2 comments

Comments

@joelsmith
Copy link
Contributor

commented Aug 5, 2019

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N

A third issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited.

Vulnerable versions:
Kubernetes 1.0.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1

Vulnerable configurations:
All kubectl clients running a vulnerable version and using the cp operation.

Vulnerability impact:
A malicious user can potentially create or overwrite files outside of the destination directory of the kubectl cp operation.

Mitigations prior to upgrading:
Avoid using kubectl cp with any untrusted workloads.

Fixed versions:
Fixed in v1.13.9 by #80871
Fixed in v1.14.5 by #80870
Fixed in v1.15.2 by #80869
Fixed in master by #80436

Fix impact:
The kubectl cp function is prevented from creating or modifying files outside the destination directory.

Acknowledgements:
This issue was discovered by Yang Yang of Amazon, who also provided a patch. Thanks also to the release managers for creating the security releases.

@joelsmith

This comment has been minimized.

Copy link
Contributor Author

commented Aug 5, 2019

/sig cli

@k8s-ci-robot k8s-ci-robot added sig/cli and removed needs-sig labels Aug 5, 2019

@joelsmith joelsmith changed the title WIP Placeholder Issue #2 CVE-2019-11249: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal Aug 5, 2019

@joelsmith

This comment has been minimized.

Copy link
Contributor Author

commented Aug 5, 2019

Fixed in #80436 and associated cherry-picks (see description).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.