Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CVE-2018-1002103: Dashboard vulnerable to DNS rebinding attack #3208
Thanks to Alex Kaskasoli (MWR Labs) for reporting this problem 
If an attacker gets a victim to visit a malicious web page, the attacker may be able to execute arbitrary code within the victim's minikube cluster.
minikube exposes the Kubernetes Dashboard listening on the VM IP at port 30000. In VM environments where the IP is easy to predict, the attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard without violating the Same-Origin Policy.
The attacker can generate a CSRF token from the
This vulnerability can be combined with a VM-specific vulnerability to escape to the host operating system. If
Network access to the dashboard service is now provided on an as-needed basis, and is managed by
Mitigations before upgrading:
Disable the dashboard entirely:
kubectl --namespace kube-system delete deployment kubernetes-dashboard