CVE-2019-11249: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal #80984
Labels
area/security
kind/bug
Categorizes issue or PR as related to a bug.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/cli
Categorizes an issue or PR as relevant to SIG CLI.
Comments
k8s-ci-robot
added
area/security
needs-sig
|
/sig cli |
k8s-ci-robot
added
sig/cli
joelsmith
changed the title
|
Fixed in #80436 and associated cherry-picks (see description). |
|
/label official-cve-feed (Related to kubernetes/sig-security#1) |
k8s-ci-robot
added
the
official-cve-feed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
A third issue was discovered with the Kubernetes
kubectl cpcommand that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited.Vulnerable versions:
Kubernetes 1.0.x-1.12.x
Kubernetes 1.13.0-1.13.8
Kubernetes 1.14.0-1.14.4
Kubernetes 1.15.0-1.15.1
Vulnerable configurations:
All
kubectlclients running a vulnerable version and using thecpoperation.Vulnerability impact:
A malicious user can potentially create or overwrite files outside of the destination directory of the
kubectl cpoperation.Mitigations prior to upgrading:
Avoid using
kubectl cpwith any untrusted workloads.Fixed versions:
Fixed in v1.13.9 by #80871
Fixed in v1.14.5 by #80870
Fixed in v1.15.2 by #80869
Fixed in master by #80436
Fix impact:
The
kubectl cpfunction is prevented from creating or modifying files outside the destination directory.Acknowledgements:
This issue was discovered by Yang Yang of Amazon, who also provided a patch. Thanks also to the release managers for creating the security releases.
The text was updated successfully, but these errors were encountered: