ASA-2019-00391 – Kubernetes: Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00391

Identifier(s)

ASA-2019-00391, CVE-2019-11246

Title

Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal

Vendor(s)

Cloud Native Computing Foundation

Product(s)

Kubernetes

Affected version(s)

Kubernetes versions before v1.11.9

Fixed version(s)

Kubernetes versions v1.11.9, v1.12.7, v1.13.5, and v1.14.0

Proof of concept

Unknown

Description

Another security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal such that a malicious container could replace or create files on a user’s workstation. The vulnerability is a client-side defect and requires user interaction to be exploited.

Technical details

Unknown

Credits

Ariel Zelivansky (Twistlock)

Reference(s)

[ANNOUNCE] Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal – CVE-2019-11246
https://www.openwall.com/lists/oss-security/2019/06/21/1

[ANNOUNCE] Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal – CVE-2019-11246
https://groups.google.com/forum/#!topic/kubernetes-security-announce/NLs2TGbfPdo

ASA-2019-00493 – Kubernetes: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal
https://allelesecurity.com/asa-2019-00493/

CVE-2019-11246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11246

CVE-2019-11246
https://nvd.nist.gov/vuln/detail/CVE-2019-11246

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.