Allele Security Alert
ASA-2019-00391
Identifier(s)
ASA-2019-00391, CVE-2019-11246
Title
Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal
Vendor(s)
Cloud Native Computing Foundation
Product(s)
Kubernetes
Affected version(s)
Kubernetes versions before v1.11.9
Fixed version(s)
Kubernetes versions v1.11.9, v1.12.7, v1.13.5, and v1.14.0
Proof of concept
Unknown
Description
Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited.
Technical details
Unknown
Credits
Ariel Zelivansky (Twistlock)
Reference(s)
[ANNOUNCE] Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal – CVE-2019-11246
https://www.openwall.com/lists/oss-security/2019/06/21/1
[ANNOUNCE] Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal – CVE-2019-11246
https://groups.google.com/forum/#!topic/kubernetes-security-announce/NLs2TGbfPdo
ASA-2019-00493 – Kubernetes: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal
https://allelesecurity.com/asa-2019-00493/
CVE-2019-11246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11246
CVE-2019-11246
https://nvd.nist.gov/vuln/detail/CVE-2019-11246
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 29, 2019