CVE-2019-11251
Description
The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.
Risk Information
Base Score
5.7
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
EPSS Score
Exploitation Probability
3.448
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Kubeadm update (ELSA-2019-4816) kubeadm-1.12.10-1.0.10.el7.x86_64.rpm | Linux |
| Kubeadm-ha-setup update (ELSA-2019-4816) kubeadm-ha-setup-0.0.2-1.0.68.el7.x86_64.rpm | Linux |
| Kubeadm-upgrade update (ELSA-2019-4816) kubeadm-upgrade-0.0.1-1.0.27.el7.x86_64.rpm | Linux |
| Kubectl update (ELSA-2019-4816) kubectl-1.12.10-1.0.10.el7.x86_64.rpm | Linux |
| Kubelet update (ELSA-2019-4816) kubelet-1.12.10-1.0.10.el7.x86_64.rpm | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234