ByteOS Network

CVE Vulnerability Details :

CVE-2019-1002101

PUBLISHED

More Info Official Page

Assigner-dwf

Assigner Org ID-7556d962-6fb7-411e-85fa-6cd62f095ba8

Published At-01 Apr, 2019 | 14:14

Updated At-16 Sep, 2024 | 20:46

▼CVE Numbering Authority (CNA)

kubectl cp path traversal

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.

Affected Products

Vendor

Kubernetes

Product

Kubernetes

Versions

Affected

1.1-1.10
From 1.11 before 1.11.9 (custom)
From 1.12 before 1.12.7 (custom)
From 1.13 before 1.13.5 (custom)

Problem Types

Type	CWE ID	Description
text	N/A	Data Handling

Metrics

Version	Base score	Base severity	Vector
3.0	6.4	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

Credits

Ariel Zelivansky of Twistlock

References

Hyperlink	Resource
https://github.com/kubernetes/kubernetes/pull/75037	x_refsource_MISC
http://www.securityfocus.com/bid/107652	vdb-entry x_refsource_BID
https://access.redhat.com/errata/RHBA-2019:0620	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2019:0619	vendor-advisory x_refsource_REDHAT
https://access.redhat.com/errata/RHBA-2019:0636	vendor-advisory x_refsource_REDHAT
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPV2RE5RMOGUVP5WJMXKQJZUBBLAFZPZ/	vendor-advisory x_refsource_FEDORA
http://www.openwall.com/lists/oss-security/2019/06/21/1	mailing-list x_refsource_MLIST
http://www.openwall.com/lists/oss-security/2019/08/05/5	mailing-list x_refsource_MLIST
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QZB7E3DOZ5WDG46XAIU6K32CXHXPXB2F/	vendor-advisory x_refsource_FEDORA
https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/	x_refsource_MISC

▼Authorized Data Publishers (ADP)

CVE Program Container

References

Hyperlink	Resource
https://github.com/kubernetes/kubernetes/pull/75037	x_refsource_MISC x_transferred
http://www.securityfocus.com/bid/107652	vdb-entry x_refsource_BID x_transferred
https://access.redhat.com/errata/RHBA-2019:0620	vendor-advisory x_refsource_REDHAT x_transferred
https://access.redhat.com/errata/RHBA-2019:0619	vendor-advisory x_refsource_REDHAT x_transferred
https://access.redhat.com/errata/RHBA-2019:0636	vendor-advisory x_refsource_REDHAT x_transferred
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPV2RE5RMOGUVP5WJMXKQJZUBBLAFZPZ/	vendor-advisory x_refsource_FEDORA x_transferred
http://www.openwall.com/lists/oss-security/2019/06/21/1	mailing-list x_refsource_MLIST x_transferred
http://www.openwall.com/lists/oss-security/2019/08/05/5	mailing-list x_refsource_MLIST x_transferred
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QZB7E3DOZ5WDG46XAIU6K32CXHXPXB2F/	vendor-advisory x_refsource_FEDORA x_transferred
https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/	x_refsource_MISC x_transferred

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References