GHSA-6qfg-8799-r575

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6qfg-8799-r575/GHSA-6qfg-8799-r575.json
Aliases
  • CVE-2019-11251
Published
2021-05-18T15:30:07Z
Modified
2023-09-18T20:30:39Z
Details

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

References

Affected packages

Go / k8s.io/kubernetes

Source Details

Package Name
k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.13.10
Fixed
1.13.11

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / k8s.io/kubernetes

Source Details

Package Name
k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.14.6
Fixed
1.14.7

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / k8s.io/kubernetes

Source Details

Package Name
k8s.io/kubernetes

Affected ranges

Type
SEMVER
Events
Introduced
1.15.3
Fixed
1.16.0

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}