CVE-2018-1002100
Description
In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.
CWE
- (none)
Affected
- Kubernetes / Kubernetes — v=v1.5.x [affected]; v=v1.6.x [affected]; v=v1.7.x [affected]; v=v1.8.x [affected]; v=unspecified <v1.9.6 [affected]
CVSS
- 3.0 score=4.2 severity=MEDIUM
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
References
- https://github.com/kubernetes/kubernetes/issues/61297 x_refsource_CONFIRM
- https://hansmi.ch/articles/2018-04-openshift-s2i-security x_refsource_MISC
- https://bugzilla.redhat.com/show_bug.cgi?id=1564305 x_refsource_CONFIRM
Source
cvelistV5-main/cves/2018/1002xxx/CVE-2018-1002100.json