Skip to content

Kubernetes arbitrary file overwrite

Moderate severity GitHub Reviewed Published May 13, 2022 to the GitHub Advisory Database • Updated Sep 18, 2023

Package

gomod k8s.io/kubernetes (Go)

Affected versions

>= 1.8.0, <= 1.8.8
>= 1.9.0, <= 1.9.3
>= 1.3.0, <= 1.7.13

Patched versions

1.8.9
1.9.4
1.7.14

Description

In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.

References

Published by the National Vulnerability Database Mar 13, 2018
Published to the GitHub Advisory Database May 13, 2022
Reviewed Jul 26, 2023
Last updated Sep 18, 2023

Severity

Moderate
5.6
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N

Weaknesses

CVE ID

CVE-2017-1002102

GHSA ID

GHSA-mm7g-f2gg-cw8g

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.