GHSA-2575-pghm-6qqx

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2575-pghm-6qqx/GHSA-2575-pghm-6qqx.json

Aliases

CVE-2019-11244

Published

2022-02-15T01:57:18Z

Modified

2023-09-18T20:18:54Z

Details

In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.

References

https://nvd.nist.gov/vuln/detail/CVE-2019-11244
https://github.com/kubernetes/kubernetes/issues/76676
https://github.com/kubernetes/kubernetes/pull/77874
https://github.com/kubernetes/kubernetes/pull/77874/commits/f228ae3364729caed59087e23c42868454bc3ff4
https://github.com/kubernetes/client-go/commit/790a4f63632139cf6731014d00a9a8338f1fbd7d
https://access.redhat.com/errata/RHSA-2019:3942
https://access.redhat.com/errata/RHSA-2020:0020
https://access.redhat.com/errata/RHSA-2020:0074
https://security.netapp.com/advisory/ntap-20190509-0002/
http://www.securityfocus.com/bid/108064

Affected packages

Go / k8s.io/client-go

Source Details

Package Name: k8s.io/client-go

Affected ranges

Type: SEMVER
Events: Introduced

1.8.0

Fixed

1.12.9

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}