Vulnerability Change Records for CVE-2019-1002101

Change History

CVE Modified by DWF 6/19/2019 9:15:10 PM

Action Type Old Value New Value
Changed Description
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
Added Reference

								
							
							
						
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPV2RE5RMOGUVP5WJMXKQJZUBBLAFZPZ/ [No Types Assigned]

CVE Modified by DWF 4/01/2019 3:29:01 PM

Action Type Old Value New Value
Added Reference

								
							
							
						
http://www.securityfocus.com/bid/107652 [No Types Assigned]

CVE Modified by DWF 6/19/2019 3:15:10 AM

Action Type Old Value New Value
Changed Description
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
Added Reference

								
							
							
						
https://access.redhat.com/errata/RHBA-2019:0619 [No Types Assigned]
Added Reference

								
							
							
						
https://access.redhat.com/errata/RHBA-2019:0620 [No Types Assigned]
Added Reference

								
							
							
						
https://access.redhat.com/errata/RHBA-2019:0636 [No Types Assigned]

CVE Modified by DWF 6/21/2019 8:15:10 AM

Action Type Old Value New Value
Changed Description
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
Added Reference

								
							
							
						
http://www.openwall.com/lists/oss-security/2019/06/21/1 [No Types Assigned]

Initial Analysis 4/09/2019 9:32:45 AM

Action Type Old Value New Value
Added CPE Configuration

								
							
							
						
OR
     *cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions from (including) 1.11.0 up to (excluding) 1.11.9
     *cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions from (including) 1.12.0 up to (excluding) 1.12.7
     *cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:* versions from (including) 1.13.0 up to (excluding) 1.13.5
     *cpe:2.3:a:kubernetes:kubernetes:1.14.0:*:*:*:*:*:*:*
Added CPE Configuration

								
							
							
						
OR
     *cpe:2.3:a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:*
     *cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*
     *cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Added CVSS V2

								
							
							
						
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
Added CVSS V2 Metadata

								
							
							
						
Victim must voluntarily interact with attack mechanism
Added CVSS V3

								
							
							
						
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Added CWE

								
							
							
						
CWE-59
Added Reference

								
							
							
						
https://access.redhat.com/security/cve/cve-2019-1002101 [Third Party Advisory]
Changed Reference Type
http://www.securityfocus.com/bid/107652 No Types Assigned
http://www.securityfocus.com/bid/107652 Third Party Advisory, VDB Entry
Changed Reference Type
https://github.com/kubernetes/kubernetes/pull/75037 No Types Assigned
https://github.com/kubernetes/kubernetes/pull/75037 Patch, Third Party Advisory

CVE Modified by DWF 8/05/2019 2:15:10 PM

Action Type Old Value New Value
Changed Description
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
Added Reference

								
							
							
						
http://www.openwall.com/lists/oss-security/2019/08/05/5 [No Types Assigned]

CVE Modified by DWF 4/01/2019 11:29:01 AM

Action Type Old Value New Value
Changed Description
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.

If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.

The untar function can both create and follow symbolic links.

The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.

CVE Modified by DWF 10/22/2019 12:15:10 PM

Action Type Old Value New Value
Changed Description
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
Added Reference

								
							
							
						
https://www.twistlock.com/labs-blog/disclosing-directory-traversal-vulnerability-kubernetes-copy-cve-2019-1002101/ [No Types Assigned]

CVE Modified by DWF 2/10/2020 4:49:01 PM

Action Type Old Value New Value
Changed Description
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user?s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user?s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.