GO-2022-0701

Source

https://pkg.go.dev/vuln/GO-2022-0701

Import Source

https://vuln.go.dev/ID/GO-2022-0701.json

Aliases

CVE-2015-5305
GHSA-jp32-vmm6-3vf5

Published

2022-02-15T01:57:18Z

Modified

2023-11-08T03:57:57.616331Z

Details

Crafted object type names can cause directory traversal in Kubernetes.

Object names are not validated before being passed to etcd. This allows attackers to write arbitrary files via a crafted object name, hence causing directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0.

References

Affected packages

Go / k8s.io/kubernetes

Package

Name: k8s.io/kubernetes

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.1.1

Ecosystem specific

{
    "imports": [
        {
            "path": "k8s.io/kubernetes/pkg/api/rest",
            "symbols": [
                "BeforeCreate"
            ]
        },
        {
            "path": "k8s.io/kubernetes/pkg/registry/generic/etcd",
            "symbols": [
                "NamespaceKeyFunc"
            ]
        },
        {
            "path": "k8s.io/kubernetes/pkg/storage",
            "symbols": [
                "NamespaceKeyFunc",
                "NoNamespaceKeyFunc"
            ]
        },
        {
            "path": "k8s.io/kubernetes/pkg/registry/namespace/etcd",
            "symbols": [
                "NewREST"
            ]
        },
        {
            "path": "k8s.io/kubernetes/pkg/registry/node/etcd",
            "symbols": [
                "NewREST"
            ]
        },
        {
            "path": "k8s.io/kubernetes/pkg/registry/persistentvolume/etcd",
            "symbols": [
                "NewREST"
            ]
        }
    ]
}