GHSA-6qfg-8799-r575

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-6qfg-8799-r575/GHSA-6qfg-8799-r575.json

Aliases

CVE-2019-11251

Published

2021-05-18T15:30:07Z

Modified

2023-09-18T20:30:39Z

Details

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

References

Affected packages

Go / k8s.io/kubernetes

Source Details

Package Name: k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.13.10

Fixed

1.13.11

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / k8s.io/kubernetes

Source Details

Package Name: k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.14.6

Fixed

1.14.7

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}

Go / k8s.io/kubernetes

Source Details

Package Name: k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

1.15.3

Fixed

1.16.0

Ecosystem specific

{
    "affected_functions": [
        ""
    ]
}