Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-1002100

Опубликовано: 17 мар. 2018
Источник: redhat
CVSS3: 6.1

Описание

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

An improper validation flaw exists in the kubernetes 'kubectl cp' command. An attacker, who could trick a user into using the command to copy files locally from a pod, could override files outside of the target directory of the command.

Отчет

Kubernetes support is moving from Red Hat Enterprise Linux to OpenShift Container Platform. Kubernetes and its dependencies will no longer be updated through the Extras channel. Instead, the Red Hat customers are advised to use Red Hat's supported Kubernetes-based products such as Red Hat OpenShift Container Platform.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7kubernetesWill not fix
Red Hat OpenShift Container Platform 3.10atomic-openshiftNot affected
Red Hat OpenShift Container Platform 3.11atomic-openshiftNot affected
Red Hat OpenShift Container Platform 4openshiftNot affected
Red Hat OpenShift Container Platform 3.9atomic-openshiftFixedRHBA-2018:179606.06.2018
Red Hat OpenShift Container Platform 3.9atomic-openshift-dockerregistryFixedRHBA-2018:179606.06.2018
Red Hat OpenShift Container Platform 3.9atomic-openshift-web-consoleFixedRHBA-2018:179606.06.2018
Red Hat OpenShift Container Platform 3.9cri-oFixedRHBA-2018:179606.06.2018
Red Hat OpenShift Container Platform 3.9cri-toolsFixedRHBA-2018:179606.06.2018
Red Hat OpenShift Container Platform 3.9golang-github-prometheus-node_exporterFixedRHBA-2018:179606.06.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-20
https://bugzilla.redhat.com/show_bug.cgi?id=1564305kubernetes: Kubectl copy doesn't check for paths outside of it's destination directory

6.1 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-1002100

CVSS3: 4.2
ubuntu
около 7 лет назад

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

nvd логотип

CVE-2018-1002100

CVSS3: 4.2
nvd
около 7 лет назад

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

debian логотип

CVE-2018-1002100

CVSS3: 4.2
debian
около 7 лет назад

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to versio ...

github логотип

GHSA-2jq6-ffph-p4h8

CVSS3: 5.5
github
около 3 лет назад

Kubernetes arbitrary file overwrite

6.1 Medium

CVSS3

Уязвимость CVE-2018-1002100