GHSA-2575-pghm-6qqx

Suggest an improvement
Source
https://github.com/advisories/GHSA-2575-pghm-6qqx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2575-pghm-6qqx/GHSA-2575-pghm-6qqx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2575-pghm-6qqx
Aliases
Published
2022-02-15T01:57:18Z
Modified
2023-11-08T04:01:00.110313Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Kubernetes Unsafe Cacheing
Details

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

Database specific
{
    "github_reviewed_at": "2021-05-07T17:22:21Z",
    "cwe_ids": [
        "CWE-524",
        "CWE-732"
    ],
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / k8s.io/client-go

Package

Name
k8s.io/client-go
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/client-go

Affected ranges

Type
SEMVER
Events
Introduced
1.8.0
Fixed
1.12.9