GHSA-2jq6-ffph-p4h8

Suggest an improvement
Source
https://github.com/advisories/GHSA-2jq6-ffph-p4h8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2jq6-ffph-p4h8/GHSA-2jq6-ffph-p4h8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2jq6-ffph-p4h8
Aliases
Published
2022-05-13T01:35:04Z
Modified
2024-08-20T20:59:00.621664Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Kubernetes arbitrary file overwrite
Details

In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to version 1.9.6, the kubectl cp command insecurely handles tar data returned from the container, and can be caused to overwrite arbitrary local files.

Database specific
{
    "nvd_published_at": "2018-06-02T01:29:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-21T21:50:42Z"
}
References

Affected packages

Go / k8s.io/kubernetes

Package

Name
k8s.io/kubernetes
View open source insights on deps.dev
Purl
pkg:golang/k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.5
Fixed
1.9.6