ASA-2019-00161 – Kubernetes: Directory traversal vulnerability in kubectl

Allele Security Alert



ASA-2019-00161, CVE-2019-1002101


Directory traversal in kubectl


Cloud Native Computing Foundation



Affected version(s)

kubectl versions prior to v1.11.9
kubectl versions prior to v1.12.7
kubectl versions prior to v1.13.5
kubectl versions prior to v1.14.0

Fixed version(s)

kubectl version v1.11.9
kubectl version v1.12.7
kubectl version v1.13.5
kubectl version v1.14.0

Proof of concept



A security issue was discovered with the Kubernetes `kubectl cp` command that could enable a directory traversal replacing or deleting files on a user’s workstation.

Technical details

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.

If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.

Since fixing CVE-2018-1002100, the untar function calls the cp.go:clean to strip path traversals. However, that function can both create and follow symbolic links.


Ariel Zelivansky (Twistlock)


[ANNOUNCE] Security release of Kubernetes kubectl – potential directory traversal – Releases 1.11.9, 1.12.7, 1.13.5, and 1.14.0 – CVE-2019-1002101

kubectl fix potential directory traversal – CVE-2019-1002101 #75037

Disclosing a directory traversal vulnerability in Kubernetes copy – CVE-2019-1002101

CVE-2019-1002101 - Red Hat Customer Portal


CVE-2019-1002101 in Ubuntu

CVE-2019-1002101 | SUSE



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.