Allele Security Alert
ASA-2019-00493
Identifier(s)
ASA-2019-00493, CVE-2019-11249
Title
Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal
Vendor(s)
Cloud Native Computing Foundation
Product(s)
Kubernetes
Affected version(s)
Kubernetes versions before v1.13.9
Kubernetes versions before v1.14.5
Kubernetes versions before v1.15.2
Fixed version(s)
Kubernetes version v1.13.9
Kubernetes version v1.14.5
Kubernetes version v1.15.2
Proof of concept
Unknown
Description
This vulnerability allows a malicious container to cause a file to be created or replaced on the client computer when the client uses the kubectl cp operation. The vulnerability is a client-side defect and requires user interaction to be exploited.
Technical details
Unknown
Credits
Yang Yang (Amazon)
Reference(s)
Kubernetes v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
https://www.openwall.com/lists/oss-security/2019/08/05/5
v1.13.9, v1.14.5, v1.15.2 released to address CVE-2019-11247, CVE-2019-11249
https://groups.google.com/forum/#!topic/kubernetes-security-announce/vUtEcSEY6SM
CVE-2019-11249: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal #80984
https://github.com/kubernetes/kubernetes/issues/80984
CHANGELOG-1.13.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.13.md
CHANGELOG-1.14.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.14.md
CHANGELOG-1.15.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md
ASA-2019-00391 – Kubernetes: Incomplete fixes for CVE-2019-1002101, kubectl cp potential directory traversal
https://allelesecurity.com/asa-2019-00391/
CVE-2019-11249
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11249
CVE-2019-11249
https://nvd.nist.gov/vuln/detail/CVE-2019-11249
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 29, 2019
One thought on “ASA-2019-00493 – Kubernetes: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal”
Comments are closed.