Skip to content

Kubernetes kubectl cp Vulnerable to Symlink Attack

Moderate severity GitHub Reviewed Published May 18, 2021 to the GitHub Advisory Database • Updated Sep 18, 2023

Package

gomod k8s.io/kubernetes (Go)

Affected versions

>= 1.13.10, < 1.13.11
>= 1.14.6, < 1.14.7
>= 1.15.3, < 1.16.0

Patched versions

1.13.11
1.14.7
1.16.0

Description

The Kubernetes kubectl cp command in versions 1.1-1.12, and versions prior to 1.13.11, 1.14.7, and 1.15.4 allows a combination of two symlinks provided by tar output of a malicious container to place a file outside of the destination directory specified in the kubectl cp invocation. This could be used to allow an attacker to place a nefarious file using a symlink, outside of the destination tree.

References

Reviewed May 17, 2021
Published to the GitHub Advisory Database May 18, 2021
Last updated Sep 18, 2023

Severity

Moderate
5.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Weaknesses

CVE ID

CVE-2019-11251

GHSA ID

GHSA-6qfg-8799-r575

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.